Protecting against Sunburst Indicator of Compromise with the Threat Lens, Secure X and Umbrella approach. Implementing Sunburst backdoor DNS filtering.
Security researchers discovered a cyber attack on the supply chain of US-based multinational conglomerate corporation called Solarwinds.
The attack on Solarwinds, which is one of the leading providers of enterprise-level network management and security software products, illustrates how an organization can be subject to supply chain attacks. With more and more organizations relying on suppliers for their products and services, it is important to protect against these risks.
Supply chain attacks are a major concern for businesses who are in the manufacturing and distribution industries. As more companies adopt remote monitoring and IoT technologies, they have opened up their processes to increased vulnerabilities from 3rd party suppliers. The best way to protect your company from these threats is through the use of passive perimeter security monitoring and proactive counter measures. I will explore one of these options below.
What is Sunburst?
SUNBURST is a sophisticated supply-chain attack, where adversaries compromised updates to SolarWind’s Orion IT monitoring and management software, specifically a component called ‘SolarWinds.Orion.Core.BusinessLayer.dll’ in versions 2019.4 HF 5 through 2020.2.1.
The digitally signed updates were posted on the SolarWinds website from March to May 2020. This backdoor has been named SUNBURST, and it can communicate to third party servers using HTTP. Find out more here.
What did we do to protect ourselves?
Integrating Umbrella into our defence perimeter, we are able to continuously scan our network for evolving compromise and detect any node attempting to communicate with adversarial systems.
Business’s supply chain is a major concern for us because at this level these products tends to resides outside or make up part of the security perimeter. Businesses need to increase security around these systems and infrastructure, and be more cautious when it comes to 3rd party vendors. Adopting a zero trust methodology even for your security measures. Supply chain attacks is believed to be where new threats are most likely to grow in the future. It is at these points where they have the least control and visibility on what is happening with their data. It’s not just the threat of a cyber-attack that needs to be considered – physical attacks also have potential to cause significant damage and loss for businesses.
For SUNBURST, our Threat Lens has been updated to display DNS resolution of domains in the SUNBURST Indicator of Compromise (IOC) list, even before the domains were discovered as part of the SUNBURST backdoor. We are then able to review our logs for previous signatures and block new domains going forward. We can view DNS resolution to these domains over any period in the last 12 months.