<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">

Datashield's Resource Library

Read all of our news, articles, reviews, and more in our company blog

All Posts

The case for Google Chronicle in a Supply Chain Attack

Google Chronicle Use Case - SolarWinds Orion _Sunburst_ Supply Chain AttackIn light of the recent SolarWinds Orion “SUNBURST” Supply Chain attack, there is a strong use case for deploying Google Chronicle to protect your network and organization against a similar attack.

Understanding the Attack

Widely reported as a nation-state attack, the SolarWinds attack has affected the U.S. Treasury and Commerce departments, according to Reuters.

Discovered by FireEye, the campaign gained access to both public and private organizations through a trojanized update to SolarWind’s Orion IT monitoring software. The campaign is believed to have started as early as the spring of 2020 and is still ongoing. Post compromise activity has included lateral movement and data theft.

Sunburst compromised a legitimate install of SolarWinds Orion, implanting a backdoor that communicates via HTTP to external C2 servers. FireEye has tracked the trojan version of the plugin as “SUNBURST.”

Dormant for many months in some cases, the malware then hides as network traffic as the Orion Improvement Program (OIP) protocol, blending in as legitimate activity. Multiple trojanized updates were digitally signed from March-May 2020 and posted to the SolarWinds updates website.

 

How Datashield Can Help

In light of this event, Datashield worked night and day to scan and protect our own customers’ networks. Utilizing our skilled threat content development team and analysts, we were able to scan our clients’ environments and notify them of any occurrences utilizing our proprietary SHIELDVision orchestration and threat intelligence platform.

Not only were Datashield analysts able to identify instances of compromised SolarWinds dating back multiple months, but they were also able to then pivot on that information and provide precise recommendations and follow-up investigation amid triage efforts on the part of customer teams.

 

How Google Chronicle Can Help

This compromise also highlighted shortfalls in some technologies. Even if some technologies possessed the capability to detect its existence, they might have lacked the data retention to do so beyond more than a couple of months. For most organizations, initial compromise occurred in early spring – months before discovery by the security community.

In some cases, data retention might be unavailable to determine the extent of post-compromise activity, severely hampering detection, and efficient response activities. Furthermore, the time required to perform a query over such a huge dataset is a real barrier to awareness. Some technologies might require multiple hours to query such vast data, an unacceptable delay when time is of the essence.  

The standard for many organizations is only three months of data retention. If applied to a historical forensic use case – one like searching for evidence of Sunburst – many technologies in their default configuration won’t provide security teams with the necessary value.

Google Chronicle addresses this comprehensively, providing security teams with the ability to to query a full year of data by default and doing so with blazing-fast, split-second responsiveness. Powered by the Google Cloud, Chronicle queries through hundreds of terabytes of data with ease, giving you the information you need in seconds, not hours.

 

Conclusion

Datashield understands the Orion “SUNBURST” attack structure and scope. Not only were we able to provide our customers with a fast notification and response, but scan their environments and provide quality customer service.

If your organization is looking to close security gaps and hire a managed security service provider with developed threat content teams, automated alerting, and top-notch customer service, contact us today for a consultation with one of our security engineers.

Topics from this Article

Op-Ed, News, Threat Intelligence, Alerting, Threat Analysis, Cloud SIEM, Google Chronicle, FireEye, SUNBURST

Datashield
Datashield
Official Datashield account for blog content, news, announcements and more. The articles authored include a collaboration between internal staff, specifically the security operations and marketing team.

Related Posts

Top 5 Most Popular Cybersecurity Certifications

The cybersecurity analyst has become the third most valuable job description in the technology industry. The increasing security incidents to IT infrastructure, the demand for accountability from end-users, and the financial cost of successful breaches are significant reasons enterprises and startups are taking cybersecurity seriously. Ambitious professionals who choose a career in IT security are reaping the benefits of securing operating systems and deployed IT infrastructure.

What is Ransomware?

Ransomware is a form of malware cybercriminals use to encrypt data stored in computers or online servers. Cybercriminals demand payment to release the encryption key blocking the user from accessing the encrypted data. Payment is typically made through diverse mediums, including digital currency like Bitcoin. Once payment has been made, the victim is generally provided with instructions on decrypting their data.

Datashield Announces Partnership with Bishop Fox

Two cybersecurity powerhouses partner to provide defensive and offensive security services to boost enterprise companies’ security posture. Scottsdale, Ariz.— Datashield, a Scottsdale-based cybersecurity company, recently inked its partnership with offensive security services firm Bishop Fox. Both companies are based in Arizona and provide outsourced cybersecurity services to top Fortune 500 companies.