Cyware's SOAR Response Workflow for SUNBURST Attack
Cyware Fusion and Threat Response (CFTR) • Jan 4, 2021
We use cookies to improve your experience. Do you accept?
Cyware Fusion and Threat Response (CFTR) • Jan 4, 2021
Over the last several days, the malware tracked by several names including Solorigate and SUNBURST is being used in a widespread campaign termed UNC2452. The campaign is believed to have launched supply chain attacks against a large number of organizations. This has necessitated every SOC team in the world to detect any signs of this malware being present in their systems and implement preventive and mitigation measures.
Following is a workflow, created by Cyware, implemented as Automated Playbook on the Cyware Security Orchestration Layer (CSOL) to supplement analysts in detecting, preventing, and reacting faster to the looming threat.
The playbook integrates with the following (category of) tools to perform various actions like blocking of IOCs, creation of support tickets on ITSM.
EDR
SIEM
ITSM
Firewall
Proxy
Antivirus
Enrichment Tools
Vulnerability Management Solution
Detailed Workflow
Cyware’s Threat Intelligence eXchange platform (CTIX) acts as the source of information for this workflow. It collects threat data coming in from various structured and unstructured sources such as FireEye Threat Feeds, reports published by different agencies across the world, and others.
These threat feeds are then categorized and stored separately as Indicators of Compromise (IOCs), Vulnerabilities, and other SDOs. This threat data, if related to SUNBURST malware, is passed on to CSOL for actioning.
The Playbook Performs the Following Tasks:
Containment
Quarantine compromised assets through possible solutions (AV/EDR)
Kill malicious process(es) running on the compromised endpoints (EDR)
Enrichment
Enrich unknown hashes found through EDR associated/connecting with known IOCs/IOAs
Mitigation
Add identified IOCs/IOAs to the SIEM Reference list for future detections.
Block the indicators on the respective solution(s) as per the type of the indicator i.e. Domain/URL on Proxy, IP on Firewall, hashes on AV/EDR, and others.
Add any newly identified indicators to CTIX/TIP
Deploy the Yara signatures on IPS/IDS devices.
Response and Remediation
Run a malware hunt on EDR technology to identify compromised assets.
Run a search query on SIEM for other log traces of compromise.
Take a snapshot/memory dump of the endpoint.
Create Incidents/Requests for compromised assets for Digital Forensics and Incident Response.
Notify appropriate stakeholders with Incident details and suggested actions via CSAP and/or Email.
Search assets with identified Vulnerabilities using Vulnerability Management System (VMS).
Create priority patching requests for assets with identified Vulnerability (VMS).
Please refer to our Github Repo for the centralized tracking of all action items for defenders.