The SolarWinds hack represented one of the most damaging and sophisticated supply chain attacks in cybersecurity history, exploiting trusted software to gain widespread access across organizations. Traditional defenses failed to detect or mitigate this attack in a timely manner, highlighting the limitations of conventional anomaly detection and response mechanisms. This whitepaper introduces HAWKING, an advanced cybersecurity system that builds on record-and-replay technology. HAWKING combines real-time anomaly detection, replay-based fuzzing, and collaborative information sharing to detect and respond to sophisticated attacks before they can propagate widely. This paper explores the standalone and collaborative versions of HAWKING, analyzing their effectiveness in the context of the SolarWinds attack, while also acknowledging key challenges and limitations.

Introduction

The rapidly evolving landscape of cyber threats demands innovative approaches that can detect and mitigate sophisticated attacks in real time. The SolarWinds hack, where attackers inserted malicious code into trusted software updates, remains a prominent example of how advanced threats can bypass traditional defenses, remaining undetected for months while compromising sensitive systems.

HAWKING is a new cybersecurity technology designed to address these challenges by integrating record-and-replay technology, real-time anomaly detection, and fuzzing-based malware analysis. By extending proven record-and-replay capabilities, HAWKING offers an approach for proactive threat detection and detailed post-incident analysis. This paper explores how HAWKING could have responded to the SolarWinds attack, focusing on two deployment models:

  1. Standalone: HAWKING deployed in isolation within a single organization.
  2. Collaborative: HAWKING instances deployed across multiple institutions, sharing threat intelligence and anomaly data.

Foundation: Record-and-Replay Technology

The record-and-replay technology allows for the full logging of system events, including system calls, memory accesses, network traffic, and more. This creates a detailed, time-bound execution log of system behavior, which can later be replayed for forensic analysis. Key features include:

  • Capturing complete system state: All actions taken by a system, including inputs and outputs, are recorded, enabling an exact reconstruction of events.
  • Post-mortem analysis: Once an incident occurs, security teams can replay the captured events to understand the attack, how it propagated, and what vulnerabilities were exploited.

While traditional record-and-replay excels in post-incident forensics, HAWKING extends this capability into real-time threat detection and automated analysis.

The HAWKING System

Overview of HAWKING’s Architecture

HAWKING integrates multiple layers of defense to provide real-time detection, analysis, and remediation capabilities. Its architecture consists of the following key components:

  • Protected System (Recording Servers): These servers run the standard record-and-replay technology, logging all system actions during normal operations.
  • Firewall System (Active Monitoring and Analysis): This system performs real-time monitoring of all emissions (e.g., network traffic, system calls) from the protected system. It flags any suspicious or anomalous behavior for further investigation.
  • Mirror System (Replay and Fuzzing): When the firewall system detects an anomaly, the mirror system spins up multiple copies of the recorded instance for replay. It then applies fuzzing techniques, injecting differential inputs to explore different behavior scenarios and identify the nature of the anomaly.
  • Remediation (Service Shutdown or Alerts): Upon detecting a confirmed threat, HAWKING can either turn off the affected service to contain the attack or alert human operators to take manual action.

The Role of Fuzzing in HAWKING

Fuzzing is a critical component of HAWKING’s anomaly analysis. Once the mirror system replays an instance, it fuzzes the recorded instance by:

  • Varying inputs or configurations: Introducing small changes to the system’s inputs or environment to see how the anomaly responds.
  • Exploring attack vectors: Triggering potential malware behaviors that might remain dormant under normal conditions.

This process helps security teams understand the specific nature of the malware, how it propagates, and what vulnerabilities it exploits.

Application of HAWKING in the SolarWinds Attack

Standalone Deployment of HAWKING

In a standalone deployment, HAWKING operates within a single organization, with its firewall system and mirror system independently monitoring and responding to anomalies. Here’s how it might have responded to the SolarWinds attack:

1. Protected System (Recording the Malware)

  • HAWKING would have recorded the SolarWinds Orion software, including the initial installation of the malicious update. However, the malware was designed to remain dormant for weeks, meaning that no immediate anomalies would have been flagged during the installation phase.

2. Firewall System (Detecting Anomalies)

  • Once the malware activated, it began communicating with command-and-control (C2) servers. HAWKING’s firewall system might have flagged this as an anomaly, particularly if the communication involved unusual external IP addresses or deviations from normal network traffic patterns.
  • Additionally, the malware’s lateral movement, privilege escalations, or unauthorized system accesses might have triggered alerts if these actions deviated from the typical behavior of the SolarWinds process.

3. Mirror System (Replaying and Fuzzing)

  • Once an anomaly was flagged, the mirror system would have spun up multiple copies of the recorded instance of the affected server, applying fuzzing techniques to identify the specific behaviors of the malware.
  • By injecting differential inputs (e.g., varying network configurations or simulating different user interactions), the mirror system could have triggered the malware’s malicious actions in a controlled environment, allowing security teams to analyze its behavior.

4. Remediation (Shutting Down the Service)

  • If the anomaly analysis confirmed malicious activity, HAWKING could have automatically shut down the SolarWinds Orion service, stopping the malware’s C2 communications and limiting the damage.
  • Alternatively, HAWKING could have alerted human operators to investigate the flagged anomaly, giving them time to take manual steps such as isolating the compromised system.

Effectiveness:

  • Moderate success: HAWKING’s standalone deployment might have successfully flagged the C2 traffic or unusual system behavior after the malware activated. However, the system would not have detected the attack during the initial installation or dormancy period. It would also depend on the firewall system’s ability to detect subtle deviations from normal behavior, which might have been challenging given the sophisticated nature of the SolarWinds malware.

Collaborative Deployment of HAWKING

In a collaborative deployment, HAWKING instances across multiple organizations share anomaly data and threat intelligence in real-time. This approach leverages a network effect, where anomalies flagged in one institution provide early warning to others. Here’s how this approach could have enhanced detection and response in the SolarWinds attack:

1. Cross-Institution Anomaly Sharing

  • If one institution’s HAWKING system detected unusual C2 communications or system behavior, it could share this information with other HAWKING systems deployed in different organizations.
  • As soon as an anomaly was detected in one organization, other institutions would preemptively update their anomaly detection rules, allowing them to look for similar behaviors even if their systems hadn’t yet been activated by the malware.

2. Faster Detection Across Clients

  • By sharing detection data, collaborative HAWKING deployments could have detected the SolarWinds attack faster than individual institutions working in isolation. This would have reduced the dormancy period across organizations, giving clients the chance to investigate and mitigate the malware before it could cause widespread damage.

3. Shared Fuzzing Results

  • The fuzzing results from one organization could be shared across all clients, allowing for rapid identification of the malware’s behavior. As soon as one institution uncovered the attack vectors, the others could apply similar mitigation strategies.

4. Coordinated Remediation

  • Once an anomaly was confirmed, HAWKING systems across organizations could coordinate a proactive shutdown of services or issue widespread alerts, enabling faster response and containment across the affected organizations.

Effectiveness:

  • High success: Collaborative deployment would likely have significantly improved detection and response times. The first institution to detect the anomaly would serve as an early warning for others, allowing for faster and more coordinated mitigation efforts. While the attack might still have been initiated, the collaborative network would have reduced its spread and impact.

Pros and Cons of HAWKING Technology

Pros

1. Real-Time Detection and Response

  • HAWKING’s firewall system provides real-time monitoring of system activity, enabling early detection of anomalies such as unusual C2 communications or privilege escalations. By integrating a fuzzing-based mirror system, it provides deep insights into the nature of detected anomalies, allowing for rapid, informed remediation.

2. Detailed Forensic Analysis

  • The record-and-replay component ensures that all system activity is captured, allowing for in-depth forensic analysis after an anomaly is flagged. Even if an attack is not detected in real time, HAWKING provides a comprehensive log for post-incident investigation.

3. Collaborative Defense Strengthens Detection

  • When deployed across multiple organizations, HAWKING benefits from the network effect of shared threat intelligence. Early detection at one client allows for **faster

identification and response** across others, reducing the window of vulnerability.

4. Preemptive Malware Identification

  • The fuzzing in the mirror system can reveal malware behaviors that might remain dormant or undetected under normal conditions. This enables security teams to proactively identify and remediate threats before they fully manifest.

Cons

1. Resource-Intensive Replay and Fuzzing

  • Running multiple replay instances and applying fuzzing techniques requires significant computational resources. In high-traffic environments or large organizations, this could lead to performance bottlenecks, especially during widespread attacks that trigger multiple anomalies at once.

2. High Complexity of Detection Rules

  • HAWKING’s ability to detect anomalies depends on the granularity of its detection rules. Designing effective rules to catch subtle deviations in trusted processes (such as those in SolarWinds) is highly complex and prone to both false positives and false negatives.

3. Dormancy and Stealth of Advanced Malware

  • Like the SolarWinds malware, some advanced threats remain dormant for extended periods, only activating under specific conditions. While HAWKING can detect behavior once it activates, it may not provide early warning during the malware’s dormancy phase, limiting its ability to prevent an attack at the initial installation stage.

4. Privacy and Trust in Collaborative Deployments

  • Sharing anomaly data across organizations raises privacy concerns. Institutions must trust that their data will be anonymized and securely transmitted, which could slow down adoption or limit the information that can be shared.

Conclusion

The HAWKING system represents a significant advancement in real-time cybersecurity, building on the strengths of record-and-replay technology. In both standalone and collaborative deployments, HAWKING offers an effective framework for detecting and mitigating sophisticated cyberattacks like SolarWinds. Its real-time firewall system, combined with the mirror system’s replay and fuzzing capabilities, provides a powerful tool for identifying and analyzing malware behaviors.

While HAWKING shows strong potential in both detecting threats and enabling collaborative defense, it is not without challenges. The complexity of anomaly detection, the resource demands of fuzzing, and the difficulty of addressing dormant or stealthy malware remain significant hurdles. Despite these limitations, HAWKING could have provided a faster, more coordinated response to the SolarWinds attack, particularly in a collaborative deployment.

Ultimately, HAWKING represents a promising future for cybersecurity, where real-time detection and collaborative defense networks can work together to rapidly respond to even the most sophisticated threats.

Acknowledgments

This work builds on the foundational technologies developed by Julian Grizzard and the REnigma team, whose contributions to record-and-replay technology provided the basis for HAWKING’s innovative architecture.