SunBurst Playbooks for the SolarWinds Breach

By Alex MacLachlan December 23, 2020 security-orchestration-automation-response


The SolarWinds supply chain compromise has sprung nearly every security team into action in the past week as they try to determine whether any hosts on their network are running the Orion network monitoring software.

Moreover, they are checking—and double-checking—for other signs of malicious activity and putting together a remediation plan. Discovery and remediation like this require a lot of manual processing. Searching for indicator lists, gathering threat intelligence, and building out a playbook all take time and resources, which are in short supply during a potential breach. Plus, new information about the attack is coming out almost hourly, creating continuous work.

This is exactly where D3 NextGen SOAR can help. Specifically, it can support security teams during four key processes:
– IOC hunting and escalation
– Enrichment and response
– Security tool validation
– MITRE ATT&CK TTP mapping

IoC Hunting and Escalation

D3 has a dedicated playbook for SunBurst IoC hunting and escalation that retrieves the IoCs from FireEye’s database, actively hunts for IoCs in the SIEM that match those malware signatures, and creates an incident within D3 if any suspicious signatures are identified. If no IoCs are found, the playbook will continue to monitor and search SIEM logs on a predetermined schedule.

Enrichment and Response

If traces of compromise are detected, D3 can run the SunBurst Enrichment and Response playbook, which orchestrates across SIEM, endpoint security, network security, data loss prevention, and other tools to contain the threat. D3 will search endpoint security logs for file hashes and delete any that match SunBurst signatures. If any endpoints are running malicious processes, they will be quarantined via the endpoint security tools. Additional files can be analyzed in VirusTotal and added to the list of potential SunBurst IoCs.

D3 will also orchestrate actions to the SIEM and DLP tool to identify suspicious network activity and data exfiltration, identify potential lateral movement to other environments and machines, and add ongoing surveillance for future lateral movement. Any IPs and URLs that are found in the investigation will be analyzed in integrated threat intelligence platforms and blocked through the firewall if found to be malicious.

Security Tool Validation

It is also important to confirm that your security tools are configured correctly to detect SunBurst malware IoCs if they are present in the environment. D3’s AttackIQ Security Tool Validation playbook fetches the latest SunBurst IoCs from FireEye’s database, as well as the results of the enrichment and response playbook. It then simulates those IoCs in AttackIQ’s lab environment and runs assessments in AttackIQ. This will confirm that the tools are able to catch the relevant IoCs. If they aren’t, D3 can trigger notifications to administrators to make the necessary changes.

MITRE ATT&CK TTP Mapping

It is now well known that the perpetrators of the attack went undetected for around nine months. This speaks to how much emphasis security strategy places on detection at the point of compromise, while remaining less effective at detecting adversaries as they move within compromised systems. By mapping SUNBURST events against the MITRE ATT&CK Matrix, you can build the kill chain of the larger attack. By studying the kill chain, you can narrow your search by focusing on the links in the chain that you have not yet detected.

Additional Uses for SOAR

The usefulness of SOAR to address SunBurst doesn’t stop there, because with the scope of this attack, there are many more processes that could be automated. For example:
– Automatically updating your lists of indicators and hashes
– Checking Shodan for leaked RDP SSL certificates
– Changing passwords for every account used by SolarWinds Orion
– Building detection content based on MITRE ATT&CK

Stay tuned to D3Security.com for more resources related to the SunBurst malware attack. If you want to learn more about how our NextGen SOAR platform can help you combat advanced cyber threats, check out our NextGen SOAR Product Guide .

Alex MacLachlan

Alex MacLachlan

Alex is the Director of Marketing at D3. He oversees D3's marketing, communications, and digital programs. He enjoys fishing, "checking the analytics", playing golf and watching hockey - in that order.


Comments

comments for this post are closed