<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">

Datashield's Resource Library

Read all of our news, articles, reviews, and more in our company blog

All Posts

The case for Google Chronicle in a Supply Chain Attack

Google Chronicle Use Case - SolarWinds Orion _Sunburst_ Supply Chain AttackIn light of the recent SolarWinds Orion “SUNBURST” Supply Chain attack, there is a strong use case for deploying Google Chronicle to protect your network and organization against a similar attack.

Understanding the Attack

Widely reported as a nation-state attack, the SolarWinds attack has affected the U.S. Treasury and Commerce departments, according to Reuters.

Discovered by FireEye, the campaign gained access to both public and private organizations through a trojanized update to SolarWind’s Orion IT monitoring software. The campaign is believed to have started as early as the spring of 2020 and is still ongoing. Post compromise activity has included lateral movement and data theft.

Sunburst compromised a legitimate install of SolarWinds Orion, implanting a backdoor that communicates via HTTP to external C2 servers. FireEye has tracked the trojan version of the plugin as “SUNBURST.”

Dormant for many months in some cases, the malware then hides as network traffic as the Orion Improvement Program (OIP) protocol, blending in as legitimate activity. Multiple trojanized updates were digitally signed from March-May 2020 and posted to the SolarWinds updates website.

 

How Datashield Can Help

In light of this event, Datashield worked night and day to scan and protect our own customers’ networks. Utilizing our skilled threat content development team and analysts, we were able to scan our clients’ environments and notify them of any occurrences utilizing our proprietary SHIELDVision orchestration and threat intelligence platform.

Not only were Datashield analysts able to identify instances of compromised SolarWinds dating back multiple months, but they were also able to then pivot on that information and provide precise recommendations and follow-up investigation amid triage efforts on the part of customer teams.

 

How Google Chronicle Can Help

This compromise also highlighted shortfalls in some technologies. Even if some technologies possessed the capability to detect its existence, they might have lacked the data retention to do so beyond more than a couple of months. For most organizations, initial compromise occurred in early spring – months before discovery by the security community.

In some cases, data retention might be unavailable to determine the extent of post-compromise activity, severely hampering detection, and efficient response activities. Furthermore, the time required to perform a query over such a huge dataset is a real barrier to awareness. Some technologies might require multiple hours to query such vast data, an unacceptable delay when time is of the essence.  

The standard for many organizations is only three months of data retention. If applied to a historical forensic use case – one like searching for evidence of Sunburst – many technologies in their default configuration won’t provide security teams with the necessary value.

Google Chronicle addresses this comprehensively, providing security teams with the ability to to query a full year of data by default and doing so with blazing-fast, split-second responsiveness. Powered by the Google Cloud, Chronicle queries through hundreds of terabytes of data with ease, giving you the information you need in seconds, not hours.

 

Conclusion

Datashield understands the Orion “SUNBURST” attack structure and scope. Not only were we able to provide our customers with a fast notification and response, but scan their environments and provide quality customer service.

If your organization is looking to close security gaps and hire a managed security service provider with developed threat content teams, automated alerting, and top-notch customer service, contact us today for a consultation with one of our security engineers.

Topics from this Article

Op-Ed, News, Threat Intelligence, Alerting, Threat Analysis, Cloud SIEM, Google Chronicle, FireEye, SUNBURST

Datashield
Datashield
Official Datashield account for blog content, news, announcements and more. The articles authored include a collaboration between internal staff, specifically the security operations and marketing team.

Related Posts

What is Microsoft Defender for Endpoint and How Does it Work?

Microsoft Defender for Endpoint, formerly known as Microsoft Defender Advanced Threat Protection, provides enterprise-level protection to endpoints to prevent, detect, investigate, and respond to advanced threats.

What is the Zero Trust Framework?

Zero Trust security concept is a model and framework developed by former Forrester analyst John Kindervag in 2010. Since then, the Zero Trust model is widely adopted, with leading researchers at Gartner, Microsoft, and Google all developing and implementing their variations of Zero Trust frameworks while keeping the core concept intact.

Behavioral Indicators of Insider Threat Activity

Contrary to popular beliefs, an insider threat is not always a security risk within an organization's immediate perimeter. Current employees and managers aside, an insider threat could be a former employee who had access to specific information, a third-party consultant, or a business partner.