NTT has built an early warning sensor to detect attacks related to the recent SolarWinds. It is being offered free-of-charge for 30-days to qualified customers. The sensor examines customer systems, to establish their risk of a SolarWinds related attack. If any Indicator of Compromise (IOC) is found, the sensor will issue a report. That report will contain a list of actions that an organisation can take to mitigate any risk. It will make it quicker for organisations to remediate any systems.
The solution can be deployed on AWS and Google Cloud Platform. Interestingly, it cannot be deployed on Microsoft Azure. Gartner ranks Microsoft Azure as the second biggest cloud platform with Google in third place. Missing out such a major platform makes little sense given the increase in multi-cloud deployments. There is also no mention of any cloud platform built on OpenStack such as IBM, Oracle and Tencent.
In addition to assessing levels of risk, there are two other capabilities. The first is to assess customers’ ability to mitigate any incidents should they occur. The second is providing near real-time alerts, although it is unclear how quick it will be.
Matt Gyde, President and CEO, Security Division at NTT Ltd, says: “Threat actors have exploited disruption during the COVID-19 crisis to launch an accelerated wave of cyberattacks around the world. The SolarWinds incidents were orchestrated by sophisticated operators and exploit the broad distribution of commonly-used software packages. NTT has now moved to proactively offer clients a way to identify potential problems in their technology infrastructure and take the steps needed to close those gaps.”
Why is NTT releasing a tool now?
NTT, like other security vendors, has been looking at how it helps customers deal with the fallout from the SolarWinds breach. In a recent blog Jeannette Dickens-Hale, Senior All Source Threat Intelligence Analyst at NTT said: “The impact from Sunburst may take many years to understand.”
The big concern is not those IOCs currently known about but future attacks from code left by the SolarWinds breach that has yet to be activated or exploited. There is a real concern around the entire cybersecurity industry that this is an attack that will keep on giving. The attackers have already deployed multiple pieces of malware and undertaken surveillance operations. Among the risks is the use of FireEye’s Red Team tools which sparked off awareness of the SolarWinds breach.
Dickens-Hale warns that: “There is yet to be a surefire prevention or response unique to the SolarWinds’ Sunburst attack.” That warning means that companies will have to think through their entire security strategy. Tools such as this one from NTT are just the first step in retooling for a very uncertain future.
Enterprise Times: What does this mean?
Providing a tool to help customers identify a breach is good business. Limiting the platforms on which that tool runs is not so good. What makes the decision to exclude Azure stranger is that Microsoft is admitting several issues caused by SolarWinds. It will be interesting to see what else NTT releases or if there is an update that looks at both Azure and other cloud platforms.
Another question here is, why limit it to qualified NTT customers only? Is the patch production ready? If it is only a beta, that would explain why access is limited initially. Offering it as a wider tool, free or otherwise would also raise awareness of NTT among potential customers.
Many companies are still unsure if they have been affected. Over 18,000 downloaded the malicious patch files, but not all have been impacted, yet! SolarWinds has yet to say how many of those 18,000 have downloaded its fix. This tool is not directly aimed at that issue, although it will immediately detect unremediated SolarWinds environments. What it will focus on is other IOCs and will be constantly updated by NTT’s threat intelligence teams as newer IOCs are found.