We will take a quick look at this SolarWinds SunBurst attack which came out on December 13th.
We will review how to defend your network from this attack automating the network security with Check Point firewalls and Siemplify SOAR solution.It’s a known fact that some versions of SolarWinds Orion products are currently being exploited by malicious actors and considered as high risk by Department of Homeland Security.
This tactic could allow an attacker to gain access to corporate assets through network traffic, therefore it is important to review your current Inbound and Outbound network protection and traffic patterns.
It is important to understand that these binaries could represent a significant threat to your production network environments.
We highly recommend you consider any device with this binary as compromised and should already be investigating devices with this alert.
From Cyber Kill chain perspective, we mapped our IPS, Sandboxing and AV and Anti-Bot protections.
1. We have an alert that came from Check Point IPS engine which detected this Solarwinds payload on the inbound traffic. In this case our policy in IPS was set to detect instead of Prevent.
2. Then the payload went to Sandboxing which does AI-based code analysis
3. We also have an enrichment alert our Check Point Threat Intelligence detected via Reputation API from ThreatCloud
4. It then goes to Gateway for enforcement – On the inbound traffic IPS blocks it once the policy is executed to be in Prevent mode
5. It also gets blocked by Gateway on the outbound traffic by AV and Anti-Bot engine
The verdict we received as part of the event, gives us information about its Classification, Risk level, Malware family and more information to do further analysis.This playbook already has Firewall Enforcement built-in, in this case I set it where it gives me an Execute command to set the IPS Sunburst signature to block that malicious traffic.-JG
