Summary of deepwatch's Actions in Response to Sunburst IOC

By

Executive Summary:

This should be observed as addendum to the deepwatch Significant Cyber Event released on Dec 14, 2020

Significant Cyber Event Link

In an effort to keep our customers up to date on the ongoing actions the deepwatch team has taken with the December 13 announcement of the “Sunburst” malware, the following timelines and information provide a summary of key areas for you to be aware of 

Summary Timeline:

  • Sunday Dec 13.  deepwatch was made aware of a SolarWinds Security Advisory – LINK
  • FireEye was one of the first to report on issues discovered with SolarWinds’ Orion product.  They have since referred to the situation as “Sunburst” – LINK
  • After performing research into the event, deepwatch received and validated IOC’s and rolled them into deepwatch’s Threat Intelligence Platform for distribution and the enablement of active searches against customer data.
  • Searches were created and run across the deepwatch customer base for these IOC’s.  If hits were observed individual customers were notified.
  • Monday Dec 14. deepwatch squads reviewed customer data and log sources for SolarWinds activities to help determine if customers need to be informed of patching requirements. Because SolarWinds is often deployed for monitoring and management of network infrastructure, customers do not forward to deepwatch event logs directly from the SolarWinds servers.  deepwatch must rely on network log sources such as Firewalls, IPS, and DNS to help identify indicators of compromise.
  • deepwatch Vulnerability Management customers were notified at the same time, after a review was done on their SolarWind assets for version compatibility.  Customer’s with both MDR and Vulnerability Management were informed not only of any alerts observed on the IOCs within their network but also if they have exploited versions of Orion installed or were patched ahead or behind those versions.  This allowed for more targeted remediation through prioritized patching operations.
  • Monday Dec. 14. deepwatch sent all customer’s a notification and overview of the Sunburst compromise. LINK
  • On Tuesday, Dec. 15 an update to the recommended patching level was made as the recommended HotFix version from SolarWinds was updated.   
    • (2020.2.1 HF 2 (available December 15, 2020))
  • deepwatch has continuously informed our customers and partners through standard security operations Squad calls of up to date information concerning the breach and the detection or mitigation of any problems.
  • Additional information that has been relayed:
    • Palo Networks Detections and Rules – LINK
    • Snort OSINT Detection Rules – LINK
    • Cisco Talos Information – LINK
  • Customers with Network Management services from deepwatch were contacted and updated IOCs and detection rules deployed to their network defenses as new detections were created by their infrastructure vendors. 
  • deepwatch squads and threat hunters continuously monitor for additional information or alerts within impacted customer networks.  This is an ongoing campaign even after the killswitch actions that occurred on Dec. 16 – LINK
  • For the latest information on Sunburst, visit the DHS Cyber website : – LINK  

Current MDR Updates:

deepwatch Updates Category Actions Status
Threat Operations Indicators of Compromise IOAs and IOCs updated leveraging information provided by multiple verified sources Dec 13 

 

IOCs are updated daily

Customer Detection Use Cases Splunk Queries Perform manual searches based upon information as it becomes available, such as DNS, C2C traffic, SolarWinds Installations, IPS Events, Firewall Traffic. Dec 13 – 14

 

Detection Use Cases Live and in Use.

Detection Engineering Detection Updates Updated IOAs and IOCs in use with Global and Customer specific Detection Use Cases. Dec 14

 

Detection information and enrichments continue to be collected.

Three-Part Sunburst Blog Series Coming Soon

Stay tuned over the next few weeks for a three-part series that we are putting together on our blog to cover Sunburst. In Part I we will examine the timeline of events and what we know so far, as well as provide some insights and thoughts around what this means for the cybersecurity industry moving forward. Part II will map the attacker’s timeline to the MITRE ATT&CK Framework, identifying potential gaps in visibility and providing recommendations for data sources to closely monitor. Part III will examine the path forward and how a holistic approach to data aggregation and visibility is the only way to detect sophisticated attacks like this one.

View the Sunburst Threat Report

 

Subscribe to the deepwatch Insider Blog