The SIR model and the SolarWinds Compromission

Better Watch Out

For the entire world, the 2020 will be remembered as the COVID year. For the infosec community, it will be the year of the SolarWinds compromission too. This two things may be more strictly related than you think at first. As a matter of fact, “epidemic” is the word that may link them together.

What we know so far:

• SolarWinds company has been compromised and a backdoor has been implanted in their Orion product
• Fireye company and several governmental agencies including US Commerce and Treasury departments have been compromised due to the SolarWinds backdoor. It is possible that also DHS suffered a compromission.
• Fireeye attributed the attack to UNC2452. Many sources identify this actor with APT29/CozyBear, a state sponsored intrusion set related with the SVR, the external intelligence agency of the Russian Federation.

What we don’t know so far:

• How SolarWinds has been compromised?
• Will software supply chain attacks be more common in the next feature?
• How long the UNC2452 threat actor will take benefit from the SolarWinds compromission?

The entire cybersec community is working on this case. Fireeye provided many information about the TTPs used by the attacker, together with an entire set of Indicators of Compromise that can be used to detect it [1]. Microsoft blog is, at the moment, probably the best resource where to find information about post-compromise activities [2]. Splunk provided guidance on using their products to protect and detect activity on the networks from this backdoor [3]. In the same way, Sophos and all the security vendors that I know are providing their contribution [4]. Symantec agrees that supply chain attacks provide attacker with access to a large number of organizations, a subset of which will become targets of interest for further compromise.

It is not easy to answer to the three questions reported above [What we don’t know so far]. Sometimes, as cyber threat intelligence analysts, we have to face with this type of questions, leaving the technicalities behind and looking ahead into the future, evaluating all the hypothesis and trying to validate them. It is pretty clear that only SolarWinds can answer to the first question. But what about the other two? They seem pretty important to me, above all in the long term. Unfortunately, my feeling is that we will be speaking about UNC2452 for a long time. Therefore, take a long breath, and think to the following:

A backdoor has been stealthy installed in the SolarWinds code repository + Many other software houses are among the victims of the SolarWinds compromission (Fireye included) => it means that, potentially, many new backdoors can be installed in the software produced and managed by these software houses.

It is not my intention to scare anyone a few days before Christmas. In addition, I don’t have the data to provide a sufficient level of confidence to the considerations that will follow. So… take it easy and relax. I would like to provide a general model that may help in the next future. Probably, sooner than expected, there will be more data available, and this model can be leveraged to provide higher confidence answers.

In epidemiology, compartmental models simplify the mathematical modelling of infectious diseases. One of the simplest model is named SIR: the population is assigned to compartments with labels – S, I, or R, (Susceptible, Infectious, or Recovered). People may progress between compartments. Models like this one try to predict things such as how a disease spreads, or the total number infected, or the duration of an epidemic, and to estimate various epidemiological parameters such as the reproductive number.

SIR model

Now: think for a moment that we are not speaking about “people diseases", but instead we are facing “organization diseases", or, in other words, what is called a “compromission” in the infosec community. Susceptible organizations are organizations that can be potentially compromised by UNC2452. Infectious, are those already compromised, that taking into account the SolarWinds statements, are at least 18,000 out of 300,000 of their customers that use Orion. Recovered organizations are those that remediated the attack and recovered from the intrusion.

We can leverage the SIR model in order to evaluate if the SolarWinds compromission opened the way to further software supply chain attacks, and also to evaluate how long the UNC2452 threat actor will take benefit from this compromission. Two important parameters of the SIR model are β and γ. β is the transmission rate (that affects how many susceptible individual will become infected), while γ is the recovery rate (that indicates how many infected individual will become recovered). The basic reproduction ratio is given by β/γ. When this value is greater than 1, an epidemic occurs. It is not possible to estimate β or γ parameters for UNC2452, considering the available information at the moment. So we can just make hypothesis (to be honest, I don’t want to speculate about them). Taking into account the SolarWinds statement, there are 18,000 organizations that installed the SUNBURST Backdoor. I think that everyone will agree that among those 18,000 customers there will be many software houses, and that at least a couple of them may become the target of new backdoors developed by UNC2452. It means that the basic reproduction ratio is greater than 1, and therefore an epidemic will occur! You can try to play with β and γ parameters here and see what will happen. The following figure shows that, potentially, we may reach a peek of 10% of the entire population of the software houses compromised.

Varying β and γ you will get different results. But one thing is sure: we will speak about UNC2452 for a long time!

SIS MODEL INSTEAD OF SIR?

The SIR model confers a long-lasting immunity to recovered individuals. Probably, SIR is not the best model to use when modelling an APT that as soon as it can it will try to regain access to a network that has been recovered. In cases like this one, the SIS model becomes useful: upon recovery from infection, individuals will become susceptible again (not recovered). The SIS model will reach one of two equilibrium depending on the infection parameters: the disease-free equilibrium or the endemic equilibrium, where the infection will persist forever. Which equilibrium we will reach? We need more data and more information.

Additional questions to be answered:

• Is SolarWinds the patient zero? This is a one million dollar question!

I would like to thank Fireeye for the great work that they are doing shading light on this threat. Without them, probably, the SolarWinds compromission and all the activities of the UNC2452 would stay unknown for a long time.