• Login
  • Let's Talk
  • Login
  • Let's Talk
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • deepwatch SCORE
  • Partners
    • Reseller Partners
    • Technology Partners
  • Resources
    • Resource Library
    • News
    • Events
    • Insider Blog
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Linkedin
  • Twitter
  • Youtube
12.18.20

Threat Report

Summary of deepwatch's Actions in Response to Sunburst IOC

By Neal Humphrey Rich Meeker

Executive Summary:

This should be observed as addendum to the deepwatch Significant Cyber Event released on Dec 14, 2020

Significant Cyber Event Link

In an effort to keep our customers up to date on the ongoing actions the deepwatch team has taken with the December 13 announcement of the “Sunburst” malware, the following timelines and information provide a summary of key areas for you to be aware of 

Summary Timeline:

  • Sunday Dec 13.  deepwatch was made aware of a SolarWinds Security Advisory – LINK
  • FireEye was one of the first to report on issues discovered with SolarWinds’ Orion product.  They have since referred to the situation as “Sunburst” – LINK
  • After performing research into the event, deepwatch received and validated IOC’s and rolled them into deepwatch’s Threat Intelligence Platform for distribution and the enablement of active searches against customer data.
  • Searches were created and run across the deepwatch customer base for these IOC’s.  If hits were observed individual customers were notified.
  • Monday Dec 14. deepwatch squads reviewed customer data and log sources for SolarWinds activities to help determine if customers need to be informed of patching requirements. Because SolarWinds is often deployed for monitoring and management of network infrastructure, customers do not forward to deepwatch event logs directly from the SolarWinds servers.  deepwatch must rely on network log sources such as Firewalls, IPS, and DNS to help identify indicators of compromise.
  • deepwatch Vulnerability Management customers were notified at the same time, after a review was done on their SolarWind assets for version compatibility.  Customer’s with both MDR and Vulnerability Management were informed not only of any alerts observed on the IOCs within their network but also if they have exploited versions of Orion installed or were patched ahead or behind those versions.  This allowed for more targeted remediation through prioritized patching operations.
  • Monday Dec. 14. deepwatch sent all customer’s a notification and overview of the Sunburst compromise. LINK
  • On Tuesday, Dec. 15 an update to the recommended patching level was made as the recommended HotFix version from SolarWinds was updated.   
    • (2020.2.1 HF 2 (available December 15, 2020))
  • deepwatch has continuously informed our customers and partners through standard security operations Squad calls of up to date information concerning the breach and the detection or mitigation of any problems.
  • Additional information that has been relayed:
    • Palo Networks Detections and Rules – LINK
    • Snort OSINT Detection Rules – LINK
    • Cisco Talos Information – LINK
  • Customers with Network Management services from deepwatch were contacted and updated IOCs and detection rules deployed to their network defenses as new detections were created by their infrastructure vendors. 
  • deepwatch squads and threat hunters continuously monitor for additional information or alerts within impacted customer networks.  This is an ongoing campaign even after the killswitch actions that occurred on Dec. 16 – LINK
  • For the latest information on Sunburst, visit the DHS Cyber website : – LINK  

Current MDR Updates:

deepwatch Updates Category Actions Status
Threat Operations Indicators of Compromise IOAs and IOCs updated leveraging information provided by multiple verified sources Dec 13 

 

IOCs are updated daily

Customer Detection Use Cases Splunk Queries Perform manual searches based upon information as it becomes available, such as DNS, C2C traffic, SolarWinds Installations, IPS Events, Firewall Traffic. Dec 13 – 14

 

Detection Use Cases Live and in Use.

Detection Engineering Detection Updates Updated IOAs and IOCs in use with Global and Customer specific Detection Use Cases. Dec 14

 

Detection information and enrichments continue to be collected.

Three-Part Sunburst Blog Series Coming Soon

Stay tuned over the next few weeks for a three-part series that we are putting together on our blog to cover Sunburst. In Part I we will examine the timeline of events and what we know so far, as well as provide some insights and thoughts around what this means for the cybersecurity industry moving forward. Part II will map the attacker’s timeline to the MITRE ATT&CK Framework, identifying potential gaps in visibility and providing recommendations for data sources to closely monitor. Part III will examine the path forward and how a holistic approach to data aggregation and visibility is the only way to detect sophisticated attacks like this one.

View the Sunburst Threat Report

 

Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Linkedin
  • Share by Mail

Subscribe to the deepwatch Insider Blog

Neal Humphrey

Neal Humphrey currently serves deepwatch as Director, Solutions Architecture. Throughout his 20 year career in the security industry Neal has held a variety of roles including Principal Security Engineer at SourceFire, Technical Solutions Architect for Cisco, and as a Director of Threat Intelligence Engineers at ThreatQuotient. Neal has worked with small to medium sized businesses as well as enterprise level organizations to help their security teams identify and solve Cyber Security Operation challenges, as well as help them understand and mature Security Architectures and processes.

Rich Meeker

Rich Meeker is deepwatch’s Technology Alliance’s Director.  A seasoned veteran with over 20 years of experience in Information Security, he has helped customers understand how they can better align their Security Architecture and Program to meet the needs of the business.  In his career, Rich has been a Security Architect, led a large network Security Consulting practice, and held various certifications such as CISSP and CISM.

Related Posts

Threat Report

03.03.21

Microsoft Exchange Server Zero-Days

read more

Threat Report

02.26.21

Chasing Silver Sparrow: Keeping an Eye on the Mysterious macOS Malware

read more

Threat Report

02.22.21

Windows Event 4688 - Part I - Eh to Excellent

read more

let’s talk.

let’s talk.

deepwatch delivers results-driven managed security services by extending customers’ cybersecurity teams and proactively advancing their SecOps maturity. Powered by its cloud SecOps platform, deepwatch is trusted by leading global organizations to provide 24/7/365 managed security services.

deepwatch Footer Certification Icons
TRUSTe
  • Linkedin
  • Twitter
  • Youtube
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • deepwatch SCORE
  • Resources
    • Resource Library
    • News
    • Events
    • Insider Blog
  • Partners
    • Reseller Partners
    • Technology Partners
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
    • Check Your SCORE
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Contact
    • Let's Talk
    • Customers Login
    • Partner Login
    • Check Your SCORE
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • deepwatch SCORE
  • Resources
    • Resource Library
    • News
    • Events
    • Insights Blog
  • Partners
    • Reseller Partners
    • Technology Partners
Top

© Copyright 2021 deepwatch incorporated

Sitemap | Privacy Policy

Top

Scroll to top