The global security community recently learned of a supply chain attack against SolarWinds via their Orion® Platform. In this blog we are providing recommendations for Sumo Logic customers to gain a deeper understanding of how to utilize available Indicators of Compromise (IOCs) within our Cloud SIEM offerings to determine your exposure to the attack. Additionally, we’re sharing targeted search recommendations from our Sumo Logic Special Operations (or SpecOps) threat hunting team.
Sumo Logic Continuous Intelligence Platform™
Regarding this particular supply chain attack and the associated SUNBURST backdoor investigated by FireEye, we recommend for our customers to start with the Threat Intelligence application from the Sumo Logic app catalog. For more information about our Threat Intelligence application, you can learn more here.
The Threat Intel Quick Analysis app correlates CrowdStrike's threat intelligence data with your own log data, providing security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyberattacks. The Threat Intel Quick Analysis App scans selected logs for threats based on IP address, URL, domain, Hash 256, and email.
To install this application within your Sumo Logic environment, please visit this quick guide.
Utilizing IOC lists:
FireEye released a list of IOCs that were a part of the SolarWinds Orion SUNBURST supply chain attack.
You can easily search the IOCs across all of your data that is currently collected within Sumo Logic. Simply put the IOC name within the scope of your search query to locate relevant results against this IOC list.
Here is a sample query:
Loading IOC lists:
Another way of managing IOC lists within the Sumo Logic platform is by creating lookups. Sumo Logic supports lookup creation in two methods: 1.) Create a Lookup via the Sumo Logic UI, or 2.) Create a Lookup via Sumo Logic Lookup API. To learn more about creating lookups, please consult this guide.
Once a Lookup is created, based on the instructions above, you can run the Sumo Logic query against a particular IOC type within the Sumo Logic platform.
_sourceCategory=* | lookup * from path://”/Library/Usersemail@example.com/Sunburst_IOC_list” on ip_address = ip | count by ip_address
The above query is specific to IP address type IOCs; this query can be modified to look for additional IOC types as well, including file hashes, domains, and more.
How to search available HTTP sources for SolarWinds indicators
The Sumo Logic SpecOps team recommends the following searches, based on FireEye’s SUNBURST Snort IDS rules, for outbound HTTP traffic to attacker-controlled domains. These searches assist with surfacing Command and Control (C2) traffic masquerading as SolarWinds Orion Improvement Program (OIP) traffic, as well as the FQDN observed in use by the attacker: avsvmcloud[.]com.
1. HTTP traffic to suspicious URI paths masquerading as SolarWinds traffic:
_sourceCategory=* | where (request_uri_path matches “*/swip/Events*” OR request_uri_path matches “*/swip/upd/SolarWinds.CortexPlugin.Components.xml*” OR request_uri_path matches “*swip/Upload.ashx*” OR request_uri_path matches “*/swip/upd/*”) |where !(dst_domain matches “*.solarwinds.com*”) | count by dst_domain, request_uri_path, ip_address
2. HTTP traffic going to the malicious domain of avsvmcloud[.]com:
_sourceCategory=* | where http_url matches “*.avsvmcloud.com*” | count by http_url, ip_address, dest_address
Sumo Logic Cloud SIEM Enterprise
Sumo Logic Cloud SIEM Enterprise provides customers with data source enrichment, correlation, and automation to equip security operations teams with out-of-the-box SIEM capabilities.
As a cloud-native service, within 24 hours of this attack announcement, Sumo Logic updated Cloud SIEM Enterprise with new rules based on FireEye’s public release to assist in detections. We continue to add and update detections to the system as our analysis and research continues on this attack.
Security vendors with tools like Endpoint Detection and Response (EDR), firewall, and IDS/IPS are being updated to provide additional protection and detection for this supply chain attack. Cloud SIEM Enterprise provides continuously updated support for these diverse on-prem and cloud-based data sources. Alerts from these sources are automatically normalized into Records which are then enriched with geolocation, entropy calculation, reverse DNS and whois lookups, along with other contextual information.
For Sumo Logic Cloud SIEM Enterprise customers using our network sensor, you also have the option to import YARA rules for additional detections going forward. You can import YARA rules either manually, or by using a GitHub repository to provide file monitoring.
Within the security user interface, click on the Content menu button, then select the File Analysis option, shown here:
Select the Add Source button in the upper right corner of the window. From here you can choose between creating a Custom source to add your own YARA rules manually, or create a GitHub repository source, like the one provided for this attack by FireEye:
Additionally, you have the option to import threat intelligence IOC lists to automatically generate Signals within Cloud SIEM Enterprise.
From the security user interface, click on the Content menu button, then select the Threat Intelligence option. Clicking on the Add Source button provides you with the option to import your IOCs via CSV, API, and TAXII, as shown here:
Sumo Logic SpecOps
Sumo Logic’s Special Operations (SpecOps) is the threat hunting team of Sumo Logic. Our mission is to assist our SpecOps customers to drive their security programs forward in a strategic manner, highlighting threats that are relevant to their business and to act as a force multiplier.
All customers of Sumo Logic’s SpecOps services have received a detailed situational awareness brief on this SolarWinds Orion incident, including additional analysis and recommendations. Our SpecOps team is working on performing historical hunts in customer environments to assist in scoping and verifying impact with affected customers. This team of threat hunters are available for questions at any time or during your next scheduled briefing.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.