Skip Navigation
BlackBerry ThreatVector Blog

SUNBURST: Continuous Cleanup and a Way Forward

CORPORATE / 01.04.21 / Tony Lee

Reflection

As we take stock of a very strange 2020, we now add to the stack the lessons learned from the wide-reaching SolarWinds supply chain attack. As one can imagine, the detection and cleanup effort for an incident of this magnitude (affecting 18,000 organizations or more) will extend well into 2021. Many organizations are still investigating the full extent of their exposure while remaining in a state of constant vigilance and doubt.

The stealth and sophistication of this attack were paramount to its delayed discovery. This extended period of potential compromise has forced some organizations to thaw archived logs to search through them for indicators of compromise – that is assuming these logs still exist. This activity will hopefully be combined with other proactive activities outlined below. The remainder of the unwitting victims not performing any of these activities will eventually surface and, like others before them, will perform an assessment of damage and possibly make a public announcement. Although SUNBURST entered our lives quickly and brightly, the effects will linger and take quite some time to fade completely.

Going Forward

No one should be surprised to see more breach notifications as a result of this supply chain attack and others yet to be discovered. Frustration will be felt by many – including victims of the victims – and this frustration will hopefully be appropriately directed at finding a solution to these constant attacks. Even if we see legislative action arise from this event, it will not deter all threat actors. After all, this is big business that continues to pay handsomely in both money and intelligence.

In addition to legislation, investing in layers of effective products will mitigate cyber risks. While this is also a step in the right direction, products are only as good as those caring for them, heeding their alarms, and taking necessary action. As we will see with future public disclosures, products alone are not the solution – especially when dealing with sophisticated and stealthy attacks such as supply chain compromise.

Our efforts going forward should be centered on continuous prevention and detection. As easy as that sounds, this means sufficient monitoring can no longer be considered 9-5 in a time zone of your choosing – this must be 24x7x365. Threat actors are globally distributed and do not rest, so neither should our defenses. Additionally, we must continuously apply threat intelligence to our data and proactively hunt within our environments. If your organization is not watching and hunting around the clock, enlist the help of others who can provide this necessary augmentation of your security workforce. The final step must include artificial intelligence (AI) enabled adaptive endpoint security through continuous validation in a zero trust environment. If the threat actor gains entry to your network, possibly via tainted software, their presence should not remain hidden and their movement should not be made easy.

Closing thoughts: Continued defensive improvement and vigilance are a must, not only for detecting any lingering effects of the SUNBURST malware, but also for detecting the next major attack since this will surely not be the last.

For details regarding BlackBerry’s response to the SolarWinds attack, please continue to check our BlackBerry Perspective post found here

Tony Lee

About Tony Lee

Vice President, Global Services Technical Operations, BlackBerry

Tony Lee has more than fifteen years of professional research and consulting experience pursuing his passion in all areas of information security.

As an avid educator, Tony has instructed thousands of students at many venues worldwide, including government, universities, corporations, and conferences such as Black Hat. He takes every opportunity to share knowledge as a contributing author to Hacking Exposed 7, and is also a frequent blogger, researcher, and author of white papers on topics ranging from Citrix Security, the China Chopper Web shell, and Cisco's SYNFul Knock router implant.

Over the years, he has contributed many tools to the security community such as UnBup, Forensic Investigator Splunk app, and CyBot, the extensible Threat Intelligence Bot framework designed for anyone from a home user to a SOC analyst.