====== How to defend ourselves? ======

We can use MITRE Att&ck framework to asses defensive capability across your security architecture.

The MITRE ATT&K® framework helps provide context to the Sunburst campaign. The following represent known tactics and techniques:

  *        Query Registry [T1012]
  *        Obfuscated Files or Information [1027]
  *        Obfuscated Files or Information: Steganography [T1027.003]
  *        Process Discovery [T1057]
  *        Indicator Removal on Host: File Deletion [T1070.004]
  *        Application Layer Protocol: Web Protocols [T1071.001]
  *        Application Layer Protocol: DNS [T1071.004]
  *        File and Directory Discovery [T1083]
  *        Ingress Tool Transfer [T1105]
  *        Data Encoding: Standard Encoding [T1132.001]
  *        Supply Chain Compromise: Compromise Software Dependencies and Development Tools [ [T1195.001]
  *        Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
  *        Software Discovery [T1518]
  *        Software Discovery: Security Software Discovery [T1518.001]
  *        Create or Modify System Process: Windows Service [T1543.003]
  *        Subvert Trust Controls: Code Signing [T1553.002]
  *        Dynamic Resolution: Domain Generation Algorithms [T1568.002]
  *        System Services: Service Execution [T1569.002]
  *        Compromise Infrastructure [T1584]

====== Mitigation steps ======

  * Implementing multi factor authentication.
  * Monitoring all services for any changes in tokens or keys and for malicious activities.
  * Re-evaluating API key integrations, SAML integrations and website configuration files.
  * Review all system and security policies.
  * Resetting user credentials.
  * Consider security auditing.

====== Links to get started ======

[[https://github.com/fireeye/sunburst_countermeasures|FireEye counter measures]]

[[https://github.com/bambenek/research/blob/main/sunburst/uniq-hostnames.txt|Sunburst unique Hostnames]]

[[https://blog.securityonion.net/2020/12/solarwinds-supply-chain-attack.html|Security onion blog]]

[[https://www.solarwinds.com/securityadvisory|Solarwinds Security Advisory]]

[[https://socprime.com/blog/sunburst-backdoor-detection-solarwinds-supply-chain-attack-on-fireeye-and-us-agencies/|SOC prime]]

[[https://www.compassitc.com/blog/solarwinds-sunburst-hack-and-you-thought-2020-couldnt-get-any-worse|Compass ITC]]