Use Panther’s open source detections to identify machines compromised by the SUNBURST malware.


TL;DR: Here's how you can run Panther to detect and investigate malware like SUNBURST:

  1. Add threat intelligence data to a shared Panther Module that can be used by multiple detections
  2. Analyze normalized security data with Python detections to generate real-time alerts for known-bad indicators
  3. Search across your security data lake to determine if your systems were breached, and if so, pivot to understand how you were impacted

Breaches like SUNBURST, the one impacting SolarWinds, a network management software vendor, go far beyond the company itself. In this case, the malicious code is projected to have impacted nearly 18,000 customers in a supply-chain compromise.

FireEye believes that attackers trojanized SolarWinds Orion business software and distributed malicious but legitimately signed updates to customers. This resulted in a widespread compromise, lateral movement from within victim environments, callbacks to C2, and potential exfiltration of sensitive data. In addition, to keep a presence in the network for later stage attacks, the malicious actors used obfuscated blocklists to identify security tools and processes that were then used to create multiple backdoors.

Today, Panther has published an addition to our open source detections to actively track malware callbacks to the SUNBURST Indicators of Compromise (IoCs) identified by FireEye. These can be easily uploaded to your Panther deployment to immediately analyze your critical log data, like VPC Flow logs, Cisco Umbrella, and more. In this blog post, we’ll outline how these detections work and give you a formula for tracking any type of IoC list.

For more details about the associated IoCs, network activity, and what we used as a reference to write our detections, read FireEye's in-depth blog post. Also, for the full list of IoCs and detection signatures, check-out FireEye’s countermeasures.

Detections in Panther

Add Known-Bad Indicators into a Python Module

With Panther's Python modules, you can define detection logic and datasets in one place, like threat intelligence, that can be used across multiple detections.

Panther's "Python Modules" for shared detection logic

In this case, the SUNBURST IOCs gathered from FireEye’s report are added into a new global called panther_iocs, which is then used by our detections to analyze incoming logs for the identified known indicators.

SUNBURST IOCs

Enable SUNBURST Detections for Real-Time Alerts

The Python rule below imports the IOC module and will identify hits on indicators by utilizing the Panther standard fields, in this case, p_any_ip_addresses.

Detecting known-malicious IPs associated with SUNBURST

During the data normalization process, these standard fields are populated to pull atomic indicators into the top-level that can otherwise be difficult to access. By creating a rich metadata layer across all of your critical security data, simple rules like the one above can be applied to many different environments.

For example, this rule is applied to logs from Okta, AWS, Cisco Umbrella, and more.

Now, if any of the IPs from our threat intelligence data appear within new logs from these systems, security teams will receive a high-value alert to investigate.

Investigate Your Historical Data for SUNBURST Indicators

Finally, to determine if these indicators ever previously appeared in your systems, Panther’s Indicator Search can be used to find hits across all of the collected logs in the security data lake:

Searching for known-malicious domains associated with SUNBURST

The search displays a timeline of all hits, grouped across logs and previously generated alerts in the specified timeframe.

Identifying malicious hits in the logs

To further investigate, pivot directly to the hits with Panther's Data Explorer and continue to refine your analytics using SQL:

Investigating the impact of the breach

Results can be shared with your team to identify root cause, impacted systems, and tell the full story.

Getting Started

Detecting a sophisticated breach starts with a clear understanding of what's happening across your environment. This sounds simple, but requires that all logs are continually collected and retained in a searchable format, at a high scale. Panther takes care of all of the heavy lifting, data transformation, detection, and alerting, built fully on top of a scalable data lake with Python and SQL as the tools to improve your monitoring posture.

Get started by downloading our newest detections and uploading them to your instance of Panther:

https://github.com/panther-labs/panther-analysis/releases/tag/v1.14.0 (zip)

Thanks and Happy Hunting!

Want to learn more?