How to defend ourselves?
We can use MITRE Att&ck framework to asses defensive capability across your security architecture.
The MITRE ATT&K® framework helps provide context to the Sunburst campaign. The following represent known tactics and techniques:
- Query Registry [T1012]
- Obfuscated Files or Information 
- Obfuscated Files or Information: Steganography [T1027.003]
- Process Discovery [T1057]
- Indicator Removal on Host: File Deletion [T1070.004]
- Application Layer Protocol: Web Protocols [T1071.001]
- Application Layer Protocol: DNS [T1071.004]
- File and Directory Discovery [T1083]
- Ingress Tool Transfer [T1105]
- Data Encoding: Standard Encoding [T1132.001]
- Supply Chain Compromise: Compromise Software Dependencies and Development Tools [ [T1195.001]
- Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
- Software Discovery [T1518]
- Software Discovery: Security Software Discovery [T1518.001]
- Create or Modify System Process: Windows Service [T1543.003]
- Subvert Trust Controls: Code Signing [T1553.002]
- Dynamic Resolution: Domain Generation Algorithms [T1568.002]
- System Services: Service Execution [T1569.002]
- Compromise Infrastructure [T1584]
- Implementing multi factor authentication.
- Monitoring all services for any changes in tokens or keys and for malicious activities.
- Re-evaluating API key integrations, SAML integrations and website configuration files.
- Review all system and security policies.
- Resetting user credentials.
- Consider security auditing.
Links to get started
wiki/start.txt · Last modified: 2021/01/10 12:21 by dk