homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. SolarWinds - A SANS Lightning Summit Recap
SANS Security Insights

SolarWinds - A SANS Lightning Summit Recap

February 5, 2021

Presentation slides from the SolarWinds SANS Lightning Summit can be found here.

This Q&A was taken from the SANS Lightning Summit on February 4, 2021. You can view the full presentation here:

Lightning-summit-social-card_v2.jpg

You can view Jake Williams' webcast on SolarWinds, conducted on December 14, 2020, here:

As a primer on the SolarWinds Supply-Chain Attack you can read the blog based on Jake's December 14 presentation here.


Below is a recap of the Q&A from the chat during the live event.

Question: Are there effective and validated resources out there for tabletop exercise templates, etc?

Mark Bristow: https://www.cisa.gov/publication/cisa-tabletop-exercise-package

Question: Is it "fair" to make statements like "solorigate and solar storm are the same thing" or "sunspot, sunburst and teardrop are the same thing" aside from who came up with the name OR is there fundamentals differences that I should avoid that generalization? I have treaded very lightly when making these claims, but at the same time, I like to simplify as much as possible for some of my colleagues and try to eliminate confusion. Any guidance would be great and sorry for this being so long-winded.

Katie Nickels: I’d recommend saying there are “overlaps”, but not that they are “the same.” I might say something like “Solorigate is a name used by Microsoft and SolarStorm is used by Palo Alto, and they both overlap in including the compromise of SolarWinds.” I’d recommend being as specific as you can be. When communicating, try to be clear about what you’re talking about….are you really taking about TTPs used during the SolarWinds compromise itself? Are you saying about Dark Halo TTPs or SUNSPOT TTPs? It can be tough because many people are thinking of this as “all the same”, so you’ll have to help your consumers understand it’s not quite “the same”. CTI analysts often have the challenge of educating consumers. :) I talk more about group naming in this webcast in case it’s helpful: https://www.youtube.com/watch?v=ff1yhdIx0yY

Question: How SBOMs can help in preventing supply chain attacks and how much can be effective? It is something that could really happen, especially in an Open Source Software supply chain scenario? We should really pretend that developers stick to this rules as an additional step in the development process?

Mark Bristow: Thank you for the question, this is an important one. I think Software Bill of Materials (SBOMs) can go a long way to increasing transparency and security of software. A SBOM would have absolutely helped in this case however it likely would not have completely eliminated the supply chain issue. As the adversary was able to implant SUNSPOT during the build process it would likely have also been included in the SBOM manifest in addition to being signed by the code signing key.

Question: I have a question for Katie and Evan on threat modeling -- I'm wondering how often what our organizations consider important are not the primary objective/ interest of the threat actor? How important is identifying the threat actor in order to know what our companies should protect?

Katie Nickels: I love this question! For many organizations, the “who” probably does not matter - you can still take the actions that all the speakers are discussing (detect/respond) without knowing the “who” or understanding their intent. Sometimes understanding objectives (I’d say at the ATT&CK “tactic” level) can be very useful to help you investigate an intrusion - John will talk about tactics coming up. For some orgs like the U.S. government, they probably care very much about “who” the actor is, though, but many orgs probably do not. I talk a bit more about this in this blog: https://redcanary.com/blog/apt-attribution-rsa/

Question: There was an article about JetBrains at one point and never saw anything further on that? Was there any solid info that accounts for this article or was this potentially just someone popping a name because the CEO is Russian?

Mark Bristow: CISA was also made aware of this reporting and worked directly with JetBrains to ascertain the validity of the information. While we did not do a direct, comprehensive review of their environment, we were unable to corroborate the assertions that were made public beyond the widespread use of TeamCity.

Question: Are there effective and validated resources out there for tabletop exercise templates, etc?

Mike Murr: Some of the best tabletop scenarios are tied to a specific business's needs, constraints, and resources. With that in mind, Backdoors and Breaches is a fantastic way to get started.

Mark Bristow: Fully agree with Mike that a well facilitated and specific exercise is the best practice. CISA has some resources to help you get started https://www.cisa.gov/publication/cisa-tabletop-exercise-package but recommend getting a facilitator to help!

Question: Could you please paste the full URL into the chat for the Microsoft blog post you referenced? My corporate security controls challenged the shortcut domain in your slide...

John Hubbard: here you go! https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

Question: Would there be anything you suggest for threat modeling considering third party risks?

Katie Nickels: Start by listing all third parties you use! I’ve found many orgs don’t even have that.

Question:  Any suggestions of where to find datasets (real or lab) of "Solarwinds" in order to make my own analysis? A tutorial to créate a lab to analyze it, maybe?

Evan Dygert: Look at Lenny Zelter's blog and the Flare VM github repo for setting up a lab. ILSpy, which was used to decompile this sample is part of the Flare VM. The Solarwinds DLL is on virustotal unless they requested that it be removed. The last link of the last slide of my presentation has a link to the decompiled code and that is what is analyzed so they don't need to decompile it themselves.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • SEC450: Blue Team Fundamentals: Security Operations and Analysis
  • SEC565: Red Team Operations and Adversary Emulation
  • FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

Tags:
  • Cybersecurity Insights

Related Content

Blog
Blueprint_Podcast_-_Blog_-_Top_5_Blueprint_Podcast_Episodes_of_2022_-_340x340.jpg
Cyber Defense, Cybersecurity Insights
December 12, 2022
Top 5 Blueprint Podcast Episodes of 2022
This year Blueprint Podcast published 14 episodes with experts from across the cybersecurity industry. Here were the top-rated episodes of the year.
370x370-person-placeholder.png
Emily Neuens
read more
Blog
E_0KOxBUUAMRoYF.jpg
Digital Forensics and Incident Response, Cybersecurity Insights
September 27, 2021
STAR livestream with Katie Nickels: September 24, 2021 Episode NOTES
The SANS Threat Analysis Rundown (STAR) is an all-new live streaming series that brings you the inside scoop on cyber threats
370x370_katie-nickels.jpg
Katie Nickels
read more
Blog
Cybersecurity Insights
September 20, 2021
What You Need to Know about CVE-2021-30860 aka FORCEDENTRY
A recently discovered zero-click zero-day exploit on iOS, macOS, and watchOS allowed attackers to gain access to a device by sending an iMessage.
370x370_Christopher-Crowley.jpg
Christopher Crowley
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn