April 26, 2021

Questions about the Solarwinds breach

These questions may be geared to SOC teams or cybersecurity analysts in general. I’m only a networking guy that has some cybersecurity questions.

From what I’ve read, the SolarWinds breach was able to steal so much information without being noticed with the **”.avsvmcloud[.]com”** DNS name (Microsoft owns the domain now). I have a few questions and some might not be able to be answered.

1. Why did DPL policies not pick up on this attack?
1. Was the bandwidth too low?
2. Was it encrypted so that inspection wouldn’t see it?
3. Was the data sent out a little at a time so it wouldn’t be noticed?
2. Did normal people push this aside because they thought it was just normal SolarWinds traffic?
3. **Now for the big question, How are modern security teams going to protect against another supply chain threat like this from happening again? Assuming supply chain attacks are only going to increase because of the amount of information that could be captured.**

Less important questions:

1. Why wasn’t this domain checked to verify it was owned by SolarWinds or another software vendor on the servers? or was it?
2. Why don’t server admins email SolarWinds directly to ask if this domain is used by the Orion platform?
3. Would SolarWinds support even know that the domain was being used maliciously when asked?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.