Presentation slides from the SolarWinds SANS Lightning Summit can be found here.
This Q&A was taken from the SANS Lightning Summit on February 4, 2021. You can view the full presentation here:
You can view Jake Williams' webcast on SolarWinds, conducted on December 14, 2020, here:
As a primer on the SolarWinds Supply-Chain Attack you can read the blog based on Jake's December 14 presentation here.
Below is a recap of the Q&A from the chat during the live event.
Question: Are there effective and validated resources out there for tabletop exercise templates, etc?
Mark Bristow: https://www.cisa.gov/publication/cisa-tabletop-exercise-package
Question: Is it "fair" to make statements like "solorigate and solar storm are the same thing" or "sunspot, sunburst and teardrop are the same thing" aside from who came up with the name OR is there fundamentals differences that I should avoid that generalization? I have treaded very lightly when making these claims, but at the same time, I like to simplify as much as possible for some of my colleagues and try to eliminate confusion. Any guidance would be great and sorry for this being so long-winded.
Katie Nickels: I’d recommend saying there are “overlaps”, but not that they are “the same.” I might say something like “Solorigate is a name used by Microsoft and SolarStorm is used by Palo Alto, and they both overlap in including the compromise of SolarWinds.” I’d recommend being as specific as you can be. When communicating, try to be clear about what you’re talking about….are you really taking about TTPs used during the SolarWinds compromise itself? Are you saying about Dark Halo TTPs or SUNSPOT TTPs? It can be tough because many people are thinking of this as “all the same”, so you’ll have to help your consumers understand it’s not quite “the same”. CTI analysts often have the challenge of educating consumers. :) I talk more about group naming in this webcast in case it’s helpful: https://www.youtube.com/watch?v=ff1yhdIx0yY
Question: How SBOMs can help in preventing supply chain attacks and how much can be effective? It is something that could really happen, especially in an Open Source Software supply chain scenario? We should really pretend that developers stick to this rules as an additional step in the development process?
Mark Bristow: Thank you for the question, this is an important one. I think Software Bill of Materials (SBOMs) can go a long way to increasing transparency and security of software. A SBOM would have absolutely helped in this case however it likely would not have completely eliminated the supply chain issue. As the adversary was able to implant SUNSPOT during the build process it would likely have also been included in the SBOM manifest in addition to being signed by the code signing key.
Question: I have a question for Katie and Evan on threat modeling -- I'm wondering how often what our organizations consider important are not the primary objective/ interest of the threat actor? How important is identifying the threat actor in order to know what our companies should protect?
Katie Nickels: I love this question! For many organizations, the “who” probably does not matter - you can still take the actions that all the speakers are discussing (detect/respond) without knowing the “who” or understanding their intent. Sometimes understanding objectives (I’d say at the ATT&CK “tactic” level) can be very useful to help you investigate an intrusion - John will talk about tactics coming up. For some orgs like the U.S. government, they probably care very much about “who” the actor is, though, but many orgs probably do not. I talk a bit more about this in this blog: https://redcanary.com/blog/apt-attribution-rsa/
Question: There was an article about JetBrains at one point and never saw anything further on that? Was there any solid info that accounts for this article or was this potentially just someone popping a name because the CEO is Russian?
Mark Bristow: CISA was also made aware of this reporting and worked directly with JetBrains to ascertain the validity of the information. While we did not do a direct, comprehensive review of their environment, we were unable to corroborate the assertions that were made public beyond the widespread use of TeamCity.
Question: Are there effective and validated resources out there for tabletop exercise templates, etc?
Mike Murr: Some of the best tabletop scenarios are tied to a specific business's needs, constraints, and resources. With that in mind, Backdoors and Breaches is a fantastic way to get started.
Mark Bristow: Fully agree with Mike that a well facilitated and specific exercise is the best practice. CISA has some resources to help you get started https://www.cisa.gov/publication/cisa-tabletop-exercise-package but recommend getting a facilitator to help!
Question: Could you please paste the full URL into the chat for the Microsoft blog post you referenced? My corporate security controls challenged the shortcut domain in your slide...
John Hubbard: here you go! https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
Question: Would there be anything you suggest for threat modeling considering third party risks?
Katie Nickels: Start by listing all third parties you use! I’ve found many orgs don’t even have that.
Question: Any suggestions of where to find datasets (real or lab) of "Solarwinds" in order to make my own analysis? A tutorial to créate a lab to analyze it, maybe?
Evan Dygert: Look at Lenny Zelter's blog and the Flare VM github repo for setting up a lab. ILSpy, which was used to decompile this sample is part of the Flare VM. The Solarwinds DLL is on virustotal unless they requested that it be removed. The last link of the last slide of my presentation has a link to the decompiled code and that is what is analyzed so they don't need to decompile it themselves.
