We use cookies to improve your experience. Do you accept?

Skip to main content

Cyware's SOAR Response Workflow for SUNBURST Attack

Cyware's SOAR Response Workflow for SUNBURST Attack - Featured Image

Cyware Fusion and Threat Response (CFTR) Jan 4, 2021

Over the last several days, the malware tracked by several names including Solorigate and SUNBURST is being used in a widespread campaign termed UNC2452. The campaign is believed to have launched supply chain attacks against a large number of organizations. This has necessitated every SOC team in the world to detect any signs of this malware being present in their systems and implement preventive and mitigation measures.

Following is a workflow, created by Cyware, implemented as Automated Playbook on the Cyware Security Orchestration Layer (CSOL) to supplement analysts in detecting, preventing, and reacting faster to the looming threat.

The playbook integrates with the following (category of) tools to perform various actions like blocking of IOCs, creation of support tickets on ITSM.

Detailed Workflow

Cyware’s Threat Intelligence eXchange platform (CTIX) acts as the source of information for this workflow. It collects threat data coming in from various structured and unstructured sources such as FireEye Threat Feeds, reports published by different agencies across the world, and others.

These threat feeds are then categorized and stored separately as Indicators of Compromise (IOCs), Vulnerabilities, and other SDOs. This threat data, if related to SUNBURST malware, is passed on to CSOL for actioning.

The Playbook Performs the Following Tasks:

Containment

  • Quarantine compromised assets through possible solutions (AV/EDR)

  • Kill malicious process(es) running on the compromised endpoints (EDR)

Enrichment

  • Enrich unknown hashes found through EDR associated/connecting with known IOCs/IOAs

Mitigation

  • Add identified IOCs/IOAs to the SIEM Reference list for future detections.

  • Block the indicators on the respective solution(s) as per the type of the indicator i.e. Domain/URL on Proxy, IP on Firewall, hashes on AV/EDR, and others.

  • Add any newly identified indicators to CTIX/TIP

  • Deploy the Yara signatures on IPS/IDS devices.

Response and Remediation

  • Run a malware hunt on EDR technology to identify compromised assets.

  • Run a search query on SIEM for other log traces of compromise.

  • Take a snapshot/memory dump of the endpoint.

  • Create Incidents/Requests for compromised assets for Digital Forensics and Incident Response.

  • Notify appropriate stakeholders with Incident details and suggested actions via CSAP and/or Email.

  • Search assets with identified Vulnerabilities using Vulnerability Management System (VMS).

  • Create priority patching requests for assets with identified Vulnerability (VMS).

Please refer to our Github Repo for the centralized tracking of all action items for defenders.

Related Blogs