In our previous blog post we provided an initial overview of what had happened with the global cyber attack named “Sunburst”, which was known to have impacted companies such as FireEye and SolarWinds as well as a number of US government agencies. Since then, details have continued to emerge around both how the attack was executed as well as which companies and government entities were impacted. To no one’s surprise (but to everyone’s alarm), the blast radius of this attack is quite large. Experience tells us that the attack is not over and organizations need to take a number of steps to stay on top of the situation.
As the methods used in the attack become more clear, many public and private organizations have started to provide specific guidance on how to detect, isolate and ultimately eliminate the malware used in the Sunburst attack from your networks. Our previous post provided the initial triage steps you should take as provided by our team of security experts, as well as those from FireEye and our partner Microsoft.
The National Security Agency (NSA) of the United States has just published additional guidance for the technology practitioner community about dealing with the attack. In their Cybersecurity Advisory titledDetecting Abuse of Authentication Mechanisms, the NSA provides details about how cyber attackers “...are abusing trust in federated authentication environments to access protected data.” The advisory then pivots to a number of detailed activities that can be carried out using security tools from Microsoft.
One of the foundational pillars of Microsoft’s approach to providing effective security across the identity/device/data layers of your technology estate is by implementing an architecture based on the concept of Zero Trust. The first step in implementing this architecture is to deploy conditional access across your infrastructure and applications. If you have not already done so, we strongly recommend that you deploy multi-factor authentication (MFA) technology across your entire technology footprint as soon as possible. To do this, we would advise you to enable Microsoft’s Azure Multi-Factor Authentication as a key step in preventing identity-based breaches. Doing so will help to defeat attacks designed to corrupt or hijack SAML tokens.
BlueVoyant will continue to publish updates and guidance on our customer portal, blog and/or social media channels, as appropriate. We’re also standing by to help provide you with any assistance you may need in navigating this difficult situation, so please reach out to us at email@example.com whenever you are ready.
Media & industry coverage
Recent US Government advisories
US Cybersecurity & Infrastructure Agency (CISA): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
About the author: Milan Patel is the Global Head of Managed Security Services at BlueVoyant. Prior to joining the company, he served as the CTO of the FBI’s Cyber Division and as a Special Agent focused on investigating cyber crimes.