Cybersecurity vendor FireEye recently disclosed a sophisticated attack which led to the “unauthorized access of their red team tools.” A few days later, this attack was linked to a widespread and complex supply chain attack, referred to as “Sunburst,” targeting SolarWinds’ enterprise IT monitoring solution. As always, make sure to review and follow the recommendations and countermeasures from both SolarWinds and FireEye.
Given the extreme levels of discipline, covertness and damage-potential involved with the attack, it impressed even the most experienced incident responders. The Wall Street Journal described the hack as leveraging “extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on—an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way.”
While the event was unprecedented, it also achieved immense success, which virtually guarantees adversaries will continue using many of its methods and tactics in future campaigns. All of this means security operations teams will require updated – if not entirely new – operating procedures and threat hunting frameworks for responding quickly to these types of threats in the future.
How to Use SOAR to Orchestrate Sunburst Detection and Response
As you may expect, the cybersecurity vendor landscape was quick to react to this serious attack. Detection tools such as SIEMs and EDRs have released updates that allow for the detection of Sunburst related IOCs, threat intelligence providers quickly included new Sunburst related intelligence, and prevention technologies such as firewalls, IPS, and endpoint technologies have updated blacklists to block subsequent attacks.
SOAR solutions, such as from Siemplify, have proven to be effective in coordinating the various tools in use by security operations to deliver a coordinated response to Sunburst. Here are some examples of how our customers and partners have leveraged the Siemplify SOAR platform.
1) Initial Sunburst detection playbook
A Siemplify playbook combines the various detection tools in use to generate a definitive response based on multiple sources to whether the organization has been exposed. Playbook steps can include running Sunburst specific SIEM queries, searching for Sunburst IOCs from your threat intelligence across endpoints and network traffic, as well as any other detection technologies at your disposal.
2) Remediation and prevention of Sunburst IOCs
If Sunburst IOCs are discovered, a playbook can orchestrate the various remediation and/or prevention technologies across your various devices. This includes updating firewall rules, blocking executables and more.
3) Ongoing monitoring for Sunburst IOCs
Siemplify “jobs” can periodically pull new Sunburst related IOCs from commercial and open-source threat intelligence feeds (such as MISP) and automatically hunt for them in your environment. If new IOCs are discovered, alerts can be triggered and the appropriate remediation sequence can be triggered.
It is worth noting that all these steps can be applied to any attack as part of standard operating procedures in responding to a new attack. Simply swap out Sunburst IOCs for the IOCs related to the attack you want to detect, remediate or hunt for.
We invite the cybersecurity community to download our always-free Siemplify Community Edition and see how easy it is to build playbooks for Sunburst as well as many additional use cases.
Nimmy Reichenberg is CMO at Siemplify.