Continuing my tracking of the Solarwinds trojan (SUNBURST), I came on an article about Microsoft’s response – “Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach”. Seemed a bit over the top to me until I looked up Death Star and found this: DEATH STAR OG – “Death Star OG indica dominant hybrid (80% indica/20% sativa). your mind soars higher and higher into space” – then the comparison made sense especially after all the hype over the last week :).
So what did Microsoft actually do?
- Removed the digital certificates that the Trojaned files used
- This ensures that Microsoft Windows will no longer trust the compromised files
- Updated Microsoft Windows Defender to detect and alert if the Trojaned file is found on the system
- Used the legal system to gain control of the domain avsvmcloud[.]com (which served as command and control (C&C) server for the malware) away from the attacker. This is known as creating a DNS Sinkhole.
- This disrupts the C&C capabilities of the attacker.
- Changed Windows Defender’s default action for SUNBURST from “Alert” to “Quarantine”
- This is relatively drastic action. The downside is it could cause systems to crash, or other operational issues. The upside is it effectively ensures the malware is no longer a threat – even on the systems it already has a foothold.
These are all good, solid left-of-bang (reactive) mitigations. (1) and (2) are more or less standard responses, the novelty is the speed in which they were applied. (3) is an interesting mix of legal and technical activity to mitigate the threat. This is not unheard of – e.g. the response to TrickBot earlier this year was similar. (4) is unusual in that it is drastic – and emphasizes security over operations – a very unusual move. We’ll see if there is backlash.
Now the question is what companies can do to protect themselves against the next unexpected cyber attack. As we are seeing from this attack, left-of-bang (reactive) response are many time late – and painful. The best answer to protection is to establish a purple team (either manual or automated). The purple team’s job is to create rich enough threat models to assess the risk associated with different types of cyber threats, prioritize threats based on external information (i.e. threat led analysis) and account for internal context based analysis. Purple teams should map those threats onto actionable mitigations based on existing controls, or recommend additional controls as part of a continuous improvement process.
The SUNBURST trojan is a supply chain attack. Many companies, especially if their primary security testing is based on penetration testing would never even have assessed the danger of such an attack and were completely blindsided. That is the key differentiation between penetration testing and purple teaming. Purple teams take a holistic view of the organization’s cyber landscape (both internal and external) enabling them to create any type of attack scenario, analyze associated risks, prioritize and optimize immediate tactical mitigations and suggest strategic remediations based on the organization’s risk appetite.