With Sunday’s disclosure of the SolarWinds compromise, aka Sunburst, the extent of how widespread the compromise is still being evaluated. The first questions to ask are: “Is my organization at risk to the SolarWinds backdoor?” And: “have I been compromised?”
To assist our customers in making this assessment, Fidelis Threat Research Team has updated our threat feeds to be used for detection as well as countermeasures. We have done this for customers of our Network and Endpoint solutions. We made this available to our customers through proactive notification yesterday and have decided to share this information with the cybersecurity industry more broadly in this post. Our service bulletin which documents what is available is publicly available here.
The next important question to ask is “What can I do to address this type of compromise in the future?” In SolarWinds’ Security Advisory on this incident they recommend “analyzing stored network traffic for indications of compromise, including new external DNS domains.” Fidelis Cybersecurity’s threat intelligence update coupled with Fidelis Network Collector enables that analysis automatically highlighting compromise retrospectively in logs that may have occurred as new IOCs become available. Analysts can also refer to Fidelis anomalies and data analysis to uncover new and rare external sites, including DNS domains and URLs, going back in time for as long as data is stored on their Collector.
You will see in the document that we have updated IOCs for detection, Yara rules for countermeasures, the Snort rules that FireEye published for the community, and IOCs in our network collector to permit automated search on historical metadata to determine length of compromise (if any).
We will continue to release more guidance to our customers as the event continues to unfold.
Please don’t hesitate to contact Fidelis or one of our partners if you need any assistance with your response to this incident.