Home Blog Updated details about the SolarWinds 'Sunburst' cyber attack Updated details about the SolarWinds ‘Sunburst’ cyber attack BlueVoyant Share: Facebook Twitter LinkedIn By Milan Patel In our previous blog post we provided an initial overview of what had happened with the global cyber attack named “Sunburst,” which was known to have impacted companies such as FireEye and SolarWinds as well as a number of U.S. government agencies. Since then, details have continued to emerge around both how the attack was executed as well as which companies and government entities were impacted. To no one’s surprise (but to everyone’s alarm), the blast radius of this attack is quite large. Experience tells us that the attack is not over and organizations need to take a number of steps to stay on top of the situation. As the methods used in the attack become more clear, many public and private organizations have started to provide specific guidance on how to detect, isolate and ultimately eliminate the malware used in the Sunburst attack from your networks. Our previous post provided the initial triage steps you should take as provided by our team of security experts, as well as those from FireEye and our partner Microsoft. The National Security Agency (NSA) of the United States has just published additional guidance for the technology practitioner community about dealing with the attack. In their Cybersecurity Advisory titledDetecting Abuse of Authentication Mechanisms, the NSA provides details about how cyber attackers “…are abusing trust in federated authentication environments to access protected data.” The advisory then pivots to a number of detailed activities that can be carried out using security tools from Microsoft. One of the foundational pillars of Microsoft’s approach to providing effective security across the identity/device/data layers of your technology estate is by implementing an architecture based on the concept of Zero Trust. The first step in implementing this architecture is to deploy conditional access across your infrastructure and applications. If you have not already done so, we strongly recommend that you deploy multi-factor authentication (MFA) technology across your entire technology footprint as soon as possible. To do this, we would advise you to enable Microsoft’s Azure Multi-Factor Authentication as a key step in preventing identity-based breaches. Doing so will help to defeat attacks designed to corrupt or hijack SAML tokens. BlueVoyant will continue to publish updates and guidance on our customer portal, blog and/or social media channels, as appropriate. We’re also standing by to help provide you with any assistance you may need in navigating this difficult situation, so please reach out to us at [email protected] whenever you are ready. Media & industry coverage US Department of Energy confirms it was hit by Sunburst hack Microsoft says it identified 40+ victims of the SolarWinds hack U.S. establishes Cyber Unified Coordination Group to respond to SolarWinds compromise Recent U.S. Government advisories U.S. Cybersecurity & Infrastructure Agency (CISA): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. NSA: “Detecting Abuse of Authentication Mechanisms” Joint statement from the FBI, CISA and the Office of the Director of National Intelligence (ODNI) Milan Patel is the Global Head of Managed Security Services at BlueVoyant. Prior to joining the company, he served as the CTO of the FBI’s Cyber Division and as a Special Agent focused on investigating cyber crimes. Share: Facebook Twitter LinkedIn Related reading Identifying Threats The Impossible Travel Alert: Friend or Foe? In the Azure Sentinel world, the “impossible travel” alerts are one of the detections received from Microsoft Cloud App Security – its native Sentinel… Read more Thought Leadership CMMC Security for All: A Holistic Approach This is the final blog in our series on CMMC. We began with an overview of CMMC, moved on to unpack Levels 1 & 2 plus the COTS exception, covered options… Read more Thought Leadership BlueVoyant Optimizes Customer Security with Microsoft Security Services This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. Learn more about MISA. Read more
BlueVoyant Share: Facebook Twitter LinkedIn By Milan Patel In our previous blog post we provided an initial overview of what had happened with the global cyber attack named “Sunburst,” which was known to have impacted companies such as FireEye and SolarWinds as well as a number of U.S. government agencies. Since then, details have continued to emerge around both how the attack was executed as well as which companies and government entities were impacted. To no one’s surprise (but to everyone’s alarm), the blast radius of this attack is quite large. Experience tells us that the attack is not over and organizations need to take a number of steps to stay on top of the situation. As the methods used in the attack become more clear, many public and private organizations have started to provide specific guidance on how to detect, isolate and ultimately eliminate the malware used in the Sunburst attack from your networks. Our previous post provided the initial triage steps you should take as provided by our team of security experts, as well as those from FireEye and our partner Microsoft. The National Security Agency (NSA) of the United States has just published additional guidance for the technology practitioner community about dealing with the attack. In their Cybersecurity Advisory titledDetecting Abuse of Authentication Mechanisms, the NSA provides details about how cyber attackers “…are abusing trust in federated authentication environments to access protected data.” The advisory then pivots to a number of detailed activities that can be carried out using security tools from Microsoft. One of the foundational pillars of Microsoft’s approach to providing effective security across the identity/device/data layers of your technology estate is by implementing an architecture based on the concept of Zero Trust. The first step in implementing this architecture is to deploy conditional access across your infrastructure and applications. If you have not already done so, we strongly recommend that you deploy multi-factor authentication (MFA) technology across your entire technology footprint as soon as possible. To do this, we would advise you to enable Microsoft’s Azure Multi-Factor Authentication as a key step in preventing identity-based breaches. Doing so will help to defeat attacks designed to corrupt or hijack SAML tokens. BlueVoyant will continue to publish updates and guidance on our customer portal, blog and/or social media channels, as appropriate. We’re also standing by to help provide you with any assistance you may need in navigating this difficult situation, so please reach out to us at [email protected] whenever you are ready. Media & industry coverage US Department of Energy confirms it was hit by Sunburst hack Microsoft says it identified 40+ victims of the SolarWinds hack U.S. establishes Cyber Unified Coordination Group to respond to SolarWinds compromise Recent U.S. Government advisories U.S. Cybersecurity & Infrastructure Agency (CISA): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. NSA: “Detecting Abuse of Authentication Mechanisms” Joint statement from the FBI, CISA and the Office of the Director of National Intelligence (ODNI) Milan Patel is the Global Head of Managed Security Services at BlueVoyant. Prior to joining the company, he served as the CTO of the FBI’s Cyber Division and as a Special Agent focused on investigating cyber crimes. Share: Facebook Twitter LinkedIn Related reading Identifying Threats The Impossible Travel Alert: Friend or Foe? In the Azure Sentinel world, the “impossible travel” alerts are one of the detections received from Microsoft Cloud App Security – its native Sentinel… Read more Thought Leadership CMMC Security for All: A Holistic Approach This is the final blog in our series on CMMC. We began with an overview of CMMC, moved on to unpack Levels 1 & 2 plus the COTS exception, covered options… Read more Thought Leadership BlueVoyant Optimizes Customer Security with Microsoft Security Services This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. Learn more about MISA. Read more
Identifying Threats The Impossible Travel Alert: Friend or Foe? In the Azure Sentinel world, the “impossible travel” alerts are one of the detections received from Microsoft Cloud App Security – its native Sentinel… Read more
Thought Leadership CMMC Security for All: A Holistic Approach This is the final blog in our series on CMMC. We began with an overview of CMMC, moved on to unpack Levels 1 & 2 plus the COTS exception, covered options… Read more
Thought Leadership BlueVoyant Optimizes Customer Security with Microsoft Security Services This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. Learn more about MISA. Read more
