In light of the recent SolarWinds Orion “SUNBURST” Supply Chain attack, there is a strong use case for deploying Google Chronicle to protect your network and organization against a similar attack.

Understanding the Attack

Widely reported as a nation-state attack, the SolarWinds attack has affected the U.S. Treasury and Commerce departments, according to Reuters.

Discovered by FireEye, the campaign gained access to both public and private organizations through a trojanized update to SolarWind’s Orion IT monitoring software. The campaign is believed to have started as early as the spring of 2020 and is still ongoing. Post compromise activity has included lateral movement and data theft.

Sunburst compromised a legitimate install of SolarWinds Orion, implanting a backdoor that communicates via HTTP to external C2 servers. FireEye has tracked the trojan version of the plugin as “SUNBURST.”

Dormant for many months in some cases, the malware then hides as network traffic as the Orion Improvement Program (OIP) protocol, blending in as legitimate activity. Multiple trojanized updates were digitally signed from March-May 2020 and posted to the SolarWinds updates website.

How Datashield Can Help

In light of this event, Datashield worked night and day to scan and protect our own customers’ networks. Utilizing our skilled threat content development team and analysts, we were able to scan our clients’ environments and notify them of any occurrences utilizing our proprietary SHIELDVision orchestration and threat intelligence platform.

Not only were Datashield analysts able to identify instances of compromised SolarWinds dating back multiple months, but they were also able to then pivot on that information and provide precise recommendations and follow-up investigation amid triage efforts on the part of customer teams.

How Google Chronicle Can Help

This compromise also highlighted shortfalls in some technologies. Even if some technologies possessed the capability to detect its existence, they might have lacked the data retention to do so beyond more than a couple of months. For most organizations, initial compromise occurred in early spring – months before discovery by the security community.

In some cases, data retention might be unavailable to determine the extent of post-compromise activity, severely hampering detection, and efficient response activities. Furthermore, the time required to perform a query over such a huge dataset is a real barrier to awareness. Some technologies might require multiple hours to query such vast data, an unacceptable delay when time is of the essence.  

The standard for many organizations is only three months of data retention. If applied to a historical forensic use case – one like searching for evidence of Sunburst – many technologies in their default configuration won’t provide security teams with the necessary value.

Google Chronicle addresses this comprehensively, providing security teams with the ability to to query a full year of data by default and doing so with blazing-fast, split-second responsiveness. Powered by the Google Cloud, Chronicle queries through hundreds of terabytes of data with ease, giving you the information you need in seconds, not hours.

Conclusion

Datashield understands the Orion “SUNBURST” attack structure and scope. Not only were we able to provide our customers with a fast notification and response, but scan their environments and provide quality customer service.

If your organization is looking to close security gaps and hire a managed security service provider with developed threat content teams, automated alerting, and top-notch customer service, contact us today for a consultation with one of our security engineers.