December 17, 2020 Kumar Saurabh
By now, if you follow the news at any level there's a good chance that you've heard of the "SolarWinds" exploit. Even non-technical news sources including Bloomberg, Newsweek, MSNBC, CNN, Fox News, and the BBC all have stories pertaining to the attack. There are also exceptional blog articles, like the FireEye blog or the Volexity blog, that describe what happened in great technical detail. Our goal at LogicHub, is not to cast any vendor in a negative light, but to provide understandable and actionable information to help you.
What actually happened?
The SolarWinds exploit is attributed to a group known as "UNC2452" by FireEye. Other security companies (like Volexity) attribute the attack to a group they call "Dark Halo" and say this is the third attack by the group- while yet other companies (Obsidian) attribute the attack to APT29 -aka Cozy Bear- which has a long history of attacks.
Regardless of the name, the group compromised the software developed by SolarWinds- corrupting the supply chain and causing a modified DLL to be deployed to customers running certain versions and products within the SolarWinds product line. The compromised DLL-nicknamed Sunburst- was a digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.
How do I know if I'm impacted?
SolarWinds has released an advisory detailing the specific product lines and versions that have the compromised DLL. Specifically, the impacted platforms include those running: Orion Platform versions 2019.4 hotfix 5; 2020.2 with no hotfix; or 2020.2 hotfix 1. The full list of 18 affected components along with those components not affected is in the SolarWinds advisory. If you are not running one of the three impacted Orion Platform versions, then you are not impacted by this exploit.
What should I do immediately?
The list of actions below has been collected from various sources-and while lengthy-it offers a robust set of response actions that should be considered if your organization is impacted:
What can we do if we can't isolate our Solarwinds environment?
What should we do moving forward?
If you run an on-premise Exchange environment, consider adding alerting mechanisms to any EDR solutions for processes using the Exchange Management Shell PowerShell cmdlets listed in the Appendix B in the Volexity blog. This may or may not be a valid detection approach depending on how frequently this is used within your organization.
How do I protect my organization from the next major exploit?
To be transparent, no single security product or security control can prevent every attack. That said, many of the recommendations in the previous section apply not only to this attack- but serve as recommended practices for the next attack. So to begin, review the suggested actions to determine what you are able to do to protect yourself.
Ultimately, protection comes through a combination of deploying preventative and detective controls in a scalable fashion.
What if we're not resourced to do all of that?
If you find certain actions in the list above are highly repetitive and taxing on your internal staff, you should look at ways of automating as many of the repetitive tasks as possible. This may be possible in some instances using built-in capabilities included in your existing security solutions. If you are looking for solutions, we would suggest considering a security automation platforms like a SOAR platform. If the overhead of implementing, building and managing another enterprise platform is prohibitive, there are many managed solutions worth looking at, particularly managed detection and response (MDR) services.
LogicHub helps on both sides of this dichotomy. In our SOAR offering, we offer hundreds of integrations with dozens and dozens of security and operational tools. We support the interaction and automation of actions from your existing tools. In the detection space, we have an automation-driven MDR+ service with a growing library of hundreds of detection rules that use advanced techniques to learn normal behaviors and alert on deviations- along with traditional indicator based detections based on known attack behavior.
To learn more about how effective and affordable it can be to use automation to detect and respond to cyber incidents, please contact us.
Regards,
Kumar Saurabh
CEO & Co-Founder
May 17, 2022 Willy Leichter
While we’ve been talking about and imagining artificial intelligence for years, it only has...
Learn MoreMay 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn MoreMay 9, 2022 Tessa Mishoe
Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...
Learn MoreMay 6, 2022 Kumar Saurabh
LogicHub’s unique decision automation technology can build clients the ultimate security playbook...
Learn MoreMay 3, 2022 Kumar Saurabh
Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...
Learn MoreApril 29, 2022 Tessa Mishoe
Introduction Within the realm of security, there are many different toolsets and opinions on what...
Learn MoreApril 27, 2022 Willy Leichter
SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...
Learn MoreApril 21, 2022 Willy Leichter
When updating your systems from a pure Security Information Event Management (SIEM), choosing the...
Learn MoreApril 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn MoreApril 12, 2022 Tessa Mishoe
Troubled Times In times of trouble, citizens can feel a sense of deep helplessness. With war,...
Learn More© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap
© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap