On December 13 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to immediately “disconnect or power down SolarWinds Orion products” as they were being actively exploited by malicious actors. Infosec Skills author and KM Cyber Security managing partner Keatron Evans is helping numerous clients respond to the breach and mitigate any potential damage. Join him as he discusses: -What we know about the breach so far -How his clients have responded to the incident -What to look for in your environment to see if you’ve been affected

2. Meet your
speaker
Keatron Evans
Guest speaker
Infosec instructor and managing partner
at KM Cyber Security

3. Agenda
�What happened?
�Immediate action you can take
�Industry responses
�Demo: Snort, memory forensics and Zeek
�Live Q & A

4. What happened?
● FireEye discovered a global attack targeting customers of SolarWinds’ Orion product line. We are tracking
the actors behind this campaign as UNC2452.
● The attack trojanized SolarWinds Orion business software updates in order to distribute malware called
SUNBURST.
● Post exploit activity including horizontal movement has been prevalent.
● The campaign is widespread, affecting public and private organizations around the world.
● FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are
found on our public GitHub page. FireEye products and services can help customers detect and block
this attack. https://github.com/fireeye/sunburst_countermeasures
Sources – FireEye www.fireeye.com, www.mcaffee.com

5. Key findings about malware so far
● Has interest in cloud services and wireless network
usage of victim
● Looks for Solarwinds tools that collect registrant email
addresses, time zone info, etc.
● Has Domain Generation Algorithm for sub-domain
generation for comms back to C2
Sources –
FireEye www.fireeye.com,
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/

6. What happened?

7. Responding to the incident
● What horizontal movements are detectable
● Patterns that may not be talked about in the
public domain yet
● Implementing countermeasures and IOC search
criteria with Snort from scratch

8. Take action immediately
● Go to FireEye Github and get the IOC’s
and countermeasures
● Implement in your environment
● Check with your preferred security
vendors
● Keep up to date on new developments

9. Some industry responses
FireEye
● Published IOC's for everyone to use
● Published recommend steps to recovery
● Basically provided free Incident Response Advisory Services to the world
Microsoft
● Invalidated malware certificates
● Sinkholed one of the main CnC domains
● Updated Windows Defender to look for Sunburst

10. Some industry responses
McAfee
● Sharing detailed reverse engineered intelligence
● Updated in real time
Others in the industry
● Other associates/responders
● My personal network
● Countless MSSP’s, SIEM vendors, etc.
● Contributions are growing by the minute

11. Snort, memory
forensics and
Zeek demo ?

12. Questions?

13. Keep your skills sharp
Want to learn Snort, Zeek, memory
forensics and other pertinent skills?
Subscribe to Infosec Skills using
Keatron’s code “evans50” to save
50% on your first month or first
year.
infosecinstitute.com/skills

14. Keep in
touch
Keatron Evans
linkedin.com/in/keatronevans
kevans@kmcybersecurity.com
Infosec
linkedin.com/company/infosec-institute
www.infosecinstitute.com

15. About us
Infosec believes knowledge is power when fighting
cybercrime. We help IT and security professionals advance
their careers with skills development and certifications
while empowering all employees with security awareness
and privacy training to stay cyber-safe at work and home.
www.infosecinstitute.com