Listed below is a summary version of our company quarterly report.

• DATASHIELD News and Updates
  • COVID-19 Update
  • Organizational Updates
• Key Articles from the Datashield Blog
• Upcoming Events
• Datashield Partner Update
  • Gartner Magic Quadrant and Forrester Wave
• Security Operations and Threat Intelligence Quarterly Update
  • MITRE ATT&CK Phases
  • Critical CVE’s
• DATASHIELD Threat Hunting Methodology
• Q3 2020 Threat Intelligence Update
  • COVID-19 Themed Activity
  • APTs:
• Q3 2020 Content Update
  • New Alerts and Updates
  • Recently Updated
  • Feeds
  • SNORT
• Appendix
  • Attack Phase Glossary
  • MITRE ATT&CK Matrix

DATASHIELD News and Updates

COVID-19 Update

We are continuing to follow guidance from the CDC, national and local governments. Keeping our customers and employees protected is our top priority. We continue to operate 100% remote with all employees working from home. To date, there have been no interruptions to our monitoring capabilities or service. We continue taking extra precautions to avoid disruptions to our business operations and remain confident in our teams and infrastructure.

Organizational Updates

Elijah Penney – Manager of R&D

We would like to congratulate Elijah on his promotion to Manager of R&D. He was previously entitled “Lead Developer”, but with Datashield putting a heavy emphasis on R&D in 2021 (and the growth of the team), a dedicated leader to orchestrate efforts and project-manage is extremely important.

In the past several months he has functioned as a lead (and prior), Elijah has shown great aptitude in translating requests from other departments and effectively communicating what needs to happen to his fellow developers. He has, in effect, already been managing through his ability to build a cohesive roadmap and collaborate in discussions about our technology strategy and direction.

This ability to communicate, combined with his enthusiasm for the work and a great vision for what his department can be, gives us the utmost confidence that Elijah and his team will do great things in 2021.

Key Articles from the Datashield Blog

2020 was a landmark year and the impact of a stay-at-home society created waves in the security industry. In case you missed it, read Dave Norlin's recap of the year and look towards 2021 along with supporting information regarding the recent supply chain attacks.

2021: The Year of Security Decisiveness
It’s hard to encapsulate just how stressful a year it’s been. Every day we hop back in the saddle, grinding through our calendars with machine-like proficiency, but if there is anything consistent to be gleaned from the new [...]
Read More...

The Case for Google Chronicle in a Supply Chain Attack
In light of the recent SolarWinds Orion “SUNBURST” Supply Chain attack, there is a strong use case for deploying Google Chronicle to protect your network and organization against a similar attack. Understanding the attack [...]
Read More...

Security Advisory - SolarWinds Orion "Sunburst"
On December 13th, 2020, SolarWinds released a statement along with FireEye about a current and ongoing supply chain compromise surrounding the SolarWinds Orion products. This impacts SolarWinds Orion software versions [...]
Read More...

Upcoming Events

We are excited to kick off 2021 with a series of virtual events. This includes traditional webinars but will also feature interactive opportunities to engage with our SOC, partners and more. Listed below are the current events we have planned but stay tuned to our Events & Webinars pages for more as they are scheduled.

January 28th 2021 – 11am MST
Event: State of Security with Live Q&A
Presenter: Dave Norlin (CISO at Datashield)
Host: Chris Vincent (Director of Demand at Datashield)
Details: Join Chris as he interviews Dave about the state of security in 2021. This event will also feature a live Q&A so bring your questions to ask a CISO anything and everything about cybersecurity.

February 25th 2021 – 11am MST
Workshop: How to Get a Job in IT
Panel: Mallory Phelps (Manager of Recruiting at HireRising & Dave Norlin (CISO at Datashield)
Host: Cassidy Trowbridge (Digital Marketing at Datashield)
Details: Watch our panel featuring both recruiters and hiring managers as they discuss the do’s and dont’s when applying and interviewing for a job in IT.

March 18th 2021 – TBD
Event: Supplier Showcase
Presenter: Featured Vendor TBD
Host: Mike Heller (Director of Product at Datashield)
Details: Join Mike as he features a Datashield product partner

April 15th 2021 – TBD
Event: Datashield Q1 Review
Presenter: Mike Heller (Director of Product) + Datashield Team
Host: Chris Vincent (Director of Demand at Datashield)
Details: Join the Datashield team as they review Q1 highlights.

*Specific dates and times subject to change; stay tuned to our Events page throughout 2021.

Datashield Partner Update

2020 was a fantastic year for Datashield as we expanded the value we bring to our customers by adding specific offerings in EDR, NDR, Email Security, Vulnerability Management, and Digital Risk Protection. We were busy! To accomplish this, we made strategic partnerships in these spaces while strengthening our existing relationships. Important to note is that we really looked to partner with leaders in their respective verticals and with companies that are on the leading edge of technology in the security space.

2021 looks to be just as exciting as we really focus on execution and delivery of these solutions through a consultative approach and best in class service.

Gartner Magic Quadrant and Forrester Wave

Security Operations and Threat Intelligence Quarterly Update

MITRE ATT&CK Phases

We have also continued to utilize and benefit from using the MITRE ATT&CK framework to identify where the threats are being detected in the environment.   The ATT&CK framework breaks attacks into twelve distinct attack phases. Although these may not always relate to one another directly, as not all attacks will unfold identically, they are useful in determining the level of advancement and progression during observation of malicious activity.

Critical CVE’s

One major aspect of security is filtering through all the noise and focusing on the threats that are going to be impactful to our customers. We keep a look out for major CVE’s that would have a wide range of impact for all our customers and notify our clients of the recently released CVE’s. We also create detections and alerts surrounding these new CVE’s to detect them when they are used to target your environment.

CVE-2020-14822

Oracle released a patch for the Oracle in October 2020 for a plethora of security patches. One of these patches targeted Oracles E-Buisness Suite APIs, CVE-2020-14822, which unpatched would allow unauthenticated attackers with network access to run commands on the impacted oracle devices. Datashield was able to create the necessary protections to detect this exploit and deploy it.

CVE-2020-16898 – “Bad Neighbor”

Microsoft released a security bulletin on 10/13/2020 affecting the Windows IPV6 stack, which allows attackers to send maliciously crafted packets to execute arbitrary code on a remote system. POC’s were created for the exploit, allowing our content team to replicate the attacker in our malware environment and create the necessary alerts to detect this vulnerability.

DATASHIELD Threat Hunting Methodology

Datashield performs threat hunting through both ShieldVision and the SIEM. Primarily, threat hunting focuses on activity types that are not well suited to normal alerting. Usually this encompasses such things as short-lived malware or exploit campaigns, unusual account or application anomalies, or other anomalous network traffic within an environment.

When an analyst performs threat hunting, they are effectively running a SIEM query. Sometimes, these queries can be complex but can still be entered through ShieldVision or entered as correlation logic in the SIEM. Queries that are well-suited to detecting lateral movement, account compromises, or suspicious network activity have been converted into automated ShieldVision alerts wherever possible.

It is for this reason that the SIEM correlation engine and our anomaly alerts in ShieldVision are so crucial to Datashield’s threat detection program. ShieldVision is able to take IoC’s, queries and correlation rules and automate that threat hunting. These are taken from years of actual hunting experience, and with those running on a constant automated cadence, analysts are freed to examine other threats that alerts would fail to capture.

Q4 2020 Threat Intelligence Update

COVID-19 Themed Activity

COVID-19 continues to be a problem reflected in phishing lures and other activity capitalizing on current events of interest. We have seen an increase in vaccine and wellness information lures masquerading as government entities, organizations such as WHO, and hospital personnel. Targeted phishing campaigns have also increased due to heightened interest of threat actors regarding research and development of vaccinations as well as other intellectual property. Cybercrime actors have also been active in exploiting the COVID-19 and vaccine themes.

Currently, the risk remains high even with implementation of additional mitigations as well as increased vigilance and monitoring. Datashield continues monitoring the situation while constantly searching and adding newly identified or developed malware utilizing Covid lures. Continued user education, phishing/attack exercises and in-depth analysis of events remains our path for dealing with existing and emerging threats and providing the highest quality of detections.

APTs:

Due to global geopolitical events, some of which reached the culmination within the past quarter, Advanced Persistent Threat actors have shown an increase in activity as well as the creation of new threat actor groups and collaborations. We continue monitoring and observing OSINT as well as other available avenues of intelligence to continue gathering indicators of compromise attributed to APT threats. We also pay special attention to the anomalous activity demonstrated by these APTs to build behavior-based detections off some of the most sophisticated attacks we see in the wild.

APT29, a Russian-backed threat group also known as Cozy Bear was tracked trying to steal information globally around the Covid-19 vaccine with their custom malware “WellMess” and “WellMail”. Lazarus, an infamous North Korean threat actor, was also observed attacking entities associated with research for the vaccine. In September we saw the US indict seven members of APT41 – a group thought to be backed by China. The group is responsible for hundreds of attacks against the US and other countries across the globe trying to steal intellectual property and for other financial gain. In late November and December, two Iranian state-sponsored groups, APT33 (Elfin, Refined Kitten) and APT34 (OilRig, Greenbug) are thought to have collaborated and launched Pay2Key Ransomware. They mainly target industrial and logistics companies in Isreal, but were also observed attacking supply chains. Kimsuky, an APT attributed to North Korean threat actors, was highlighted in October when CISA released a bulletin detailing their TTPs and recommending heightened awareness. They use common social engineering tactics, generally target South Korea, Japan, and the US and focus their efforts on foreign policy and national security issues.

RYUK:

In early November, the FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency (CISA) released an alert that warned that the healthcare industry was being targeted by UNC1878, the Russian cybercriminal actor responsible for large-scale ransomware attacks. This spawned a heavy investigation into RYUK ransomware, the various loaders used such as BazarLoader, Emotet, Trickbot, Buer, etc., and the tactics used by the threat actor to enumerate, gain persistence, and finally deploy.

Ransomware, overall, is difficult to detect once it gets to the deployment phase and even harder to isolate and stop due to rapid deployment across networks. Fortunately, in order for the ransomware to be successful for the attackers, there are many noticeable tactics they use to manipulate the environment into the most prime target before deployment. IOCs like domains and IPs are easy for attackers to change, so while they are still detection and investigation worthy, behavior-based detections don’t have the same expiration date. Some of the tactics used during the internal discovery phase are clear indicators something is amiss in the network. It’s important to have multiple detections across multiple phases of the attack because of constant visibility challenges. Email monitoring is important for the initial infection phase, network monitoring for the discovery and lateral movement phase, and endpoint monitoring for the actual deployment of ransomware,

Sunburst:

This quarter was brought to conclusion in crescendo with the revelation that FireEye had been breached by a supply-chain attack, several of their pen-testing toolkit stolen, and a recent Solarwinds update containing a malicious backdoor. Quickly dubbed Sunburst, the effects of the attack were devastating with an estimated 18,000 organizations impacted.

The attack was started when a file, SolarWinds.Orion.Core.BusinessLayer.dll, was inserted into the supply chain and then distributed as an update package. Once downloaded, the malware remained silent for almost two weeks before beginning to check out the network. After checking for analysis tools, test domains, and security software that might detect it, which phoned home to the threat actor. Generally, this is where the attack stopped for most affected organizations. If the organization was one of the threat actor’s targets, a payload named TEARDROP then delivered Cobalt Strike BEACON and the compromise was complete.

There are still new updates on this exploit and Datashield is continuing to monitor new developments and adjust our detections accordingly. The sophistication seen in this attack was certainly nation-state level and has challenged our content to rise to higher levels while inspiring new forms of anomalous detections and further research into supply-chain attacks.