Security report: Lessons learned investigating the SUNBURST software supply chain attack
In the wake of the SolarWinds Orion SUNBURST exploit, organisations raced to understand if they had been compromised and to what extent, working around the clock to remediate the exploit before it could do further damage. But once affected SolarWinds binaries were found and patched, the real challenge began. While the exploit was first reported in December 2020, the initial intrusion is believed to have taken place months before, as early as March 2020.
To determine the full extent of the compromise, security teams needed to go back months. In the best case scenario, organisations were left to comb through what historical records they may have retained, but in many instances they were without even basic activity logs, struggling to identify the systems and timeframes on which to narrow their focus.
In this report, we provide an expanded list of indicators of SUNBURST compromise as observed across affected environments protected by Reveal(x). We also share real-world examples of how organisations have used historical network data to determine whether and to what extent systems and data were compromised via SUNBURST.