FireEye released a great blog post about the SolarWinds supply chain attack:
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
They also published some countermeasures:
https://github.com/fireeye/sunburst_countermeasures
The countermeasures include NIDS rules, network based indicators, file hashes, and yara rules. Each of these are broken out into separate sections below. Each of the sections includes a very quick high-level overview for how you might use those indicators in your Security Onion 16.04 or Security Onion 2.3 deployment.
NIDS Rules
https://github.com/fireeye/sunburst_countermeasures/blob/main/all-snort.rules
This file contains NIDS rules. If you are currently running the Emerging Threats (ET) ruleset, it should be noted that it's possible that these NIDS rules will be merged into the ET ruleset soon. You might want to go ahead and add them manually for immediate coverage. If and when they are added to ET, you may then want to remove your local additions.
UPDATE 2020-12-14 2:38 PM Eastern
The ET ruleset now includes these rules, so ET ruleset users should get these automatically as part of their normal daily download:
http://lists.emergingthreats.net/pipermail/emerging-updates/2020-December/004981.html
Security Onion 16.04
Security Onion 2.3
Network Based Indicators
This file contains domain names and IP addresses.
Security Onion 16.04
- You might want to retroactively search for these domain names and IP addresses using Kibana.
- You might want to add them to Zeek Intel:
https://docs.securityonion.net/en/16.04/zeek.html#intel
Security Onion 2.3
- You might want to retroactively search for these domain names and IP addresses using Hunt or Kibana.
- You might want to add them to Zeek Intel:
https://docs.securityonion.net/en/2.3/zeek.html#intel
File Hashes
This file contains file hashes.
Security Onion 16.04
- You might want to retroactively search for these file hashes using Kibana.
- You might want to add them to Zeek Intel:
https://docs.securityonion.net/en/16.04/zeek.html#intel
Security Onion 2.3
- You might want to retroactively search for these file hashes using Hunt or Kibana.
- You might want to add them to Zeek Intel:
https://docs.securityonion.net/en/2.3/zeek.html#intel
- These yara rules have already been added to Florian Roth's signature-base Github repo as apt_solarwinds_sunburst.yar, so assuming your Security Onion 2.3 deployment has Internet access, it should have already downloaded apt_solarwinds_sunburst.yar as part of the normal daily download.
- Going forward, Strelka should scan any newly extracted files using these yara rules.
- You might want to retroactively scan previously extracted files by copying them to /nsm/strelka/ on a sensor.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.