The SolarWinds hack has taken up a large chunk of resources in the cybersecurity community. As legislative bodies work with InfoSec experts and Silicon Valley to better combat the fallout and also prevent an attack like this in the future, Microsoft has introduced the public to one solution. In a security blog post, the technology giant has shown a softening stance on open-source research (at least in this investigation) via CodeQL. It comes on the heels of the revelation that Solorigate, which is a DLL file, was the compromised component that kicked off the SolarWinds hack.
In the blog, Microsoft’s security team specifically states that they are opening CodeQL queries to the public. They call this approach a “Githubification” of security research, making an obvious reference to the role that GitHub plays in open-source technology advancement. CodeQL is a “semantic code analysis engine” that allows for finding all vulnerability variants via writing queries. The queries can then be shared among a decentralized network open to all InfoSec researchers.
Microsoft describes the approach with CodeQL as follows:
We used two different tactics when looking for code-level Solorigate IoCs. One approach looks for particular syntax that stood out in the Solorigate code-level IoCs; the other approach looks for overall semantic patterns for the techniques present in the code-level IoCs... The syntactic queries are very quick to write and execute while offering several advantages over comparable regular expression searches; however, they are brittle to the malicious actor changing the names and literals they use. The semantic patterns look for the overall techniques used in the implant, such as hashing process names, time delays before contacting the C2 servers, etc. These are durable to substantial variation, but they are more complicated to author and more compute-intensive when analyzing many codebases at once.
Many in the security community are taking the CodeQL news from Microsoft quite well. The company gets a bad rap in the InfoSec world, and for good reason, but it seems like they are at least trying to fix their mistakes that led to such a catastrophic hack. Speaking with SCMagazine, Lamar Bailey, senior director of security research at Tripwire, had this to say:
Through greater collaboration and partnerships, we will begin to see the battle swing in our favor and put an end to significant cyberattacks like the ones we have witnessed these past months.
Collaboration, what a novel concept.
Featured image: Flickr/Robert Scoble