The SolarWinds breach, discovered last year, demonstrated how, with enough sophistication, malware can “phone home” for years, completely undetected. The hackers found ways around the common approaches to scanning outbound traffic on an enterprise network.
Their communications were hidden inside existing legitimate communication channels — such as the vendor’s own software update mechanism — and the communications were headed for AWS servers.
“They spun up their servers right here in America, so it looked like normal traffic,” said Vincent Berk, CTO and chief security architect at Riverbed, a San Francisco-based network performance monitoring vendor. Shutting down AWS traffic would be unthinkable for most data centers.
The most common detection tactics are to look for suspicious data in outbound traffic (credit card numbers, for example) or to see whether any traffic is bound for suspicious destinations (is it headed for a server in North Korea?). No such red flags appear to have gone up in the case of the vast SolarWinds breach.