Secureworks’ Response to Recent Nation-State CyberattacksWe are here to help. By: Barry Hensley - Secureworks Chief Threat Intelligence Officer
Last weekend, FireEye, Microsoft and SolarWinds detailed a sophisticated supply chain attack that used trojanized SolarWinds Orion business software released between March and June 2020 to compromise networks. This supply chain compromise likely facilitated the network breach FireEye disclosed on December 8. And in an emergency directive, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) instructed government agencies to take immediate action to mitigate this risk.
We understand that you may have many questions and we are here to help.
Secureworks’ number one priority is protecting our customers. Our Counter Threat Unit™ is constantly monitoring these evolving threats ensuring our security platform, Incident Response teams and Security Operations are enabled with the most relevant intelligence. We have already updated our Threat Detection and Response (TDR) software with all appropriate countermeasures that have been shared by the larger security community. We also activated a threat focused cell within our incident response team for any of our customers who need our help specific to this activity.Our team is:
- Investigating all indicators of compromise, to identify new links and new indicators that can be used for client protection;
- Reviewing new malware, tools and tactics against existing countermeasure coverage to identify and apply new countermeasures;
- Applying known-bad indicators to watchlists for blocking and detection on security controls such as firewalls and web proxies;
- Reviewing historic client log data and telemetry for known and discovered indicators, and alerting customers; and
- Monitoring and reviewing all third-party reporting for new intelligence that can be applied to detection processes.
Steps You Can Take
Determine if you have installed the affected versions of SolarWinds’ Orion Platform. We assess this to be a targeted campaign, and many organizations who received the affected versions are unlikely to have been intended targets. Nevertheless, we recommend that you immediately invoke your incident response processes either internally, with us, or through your Managed Security Services Provider (MSSP) to investigate whether the access has been leveraged by the threat actor.
Protecting Secureworks for You
Our Corporate Security team constantly monitors, tests and updates our own infrastructure to optimize and fortify our security posture. Our Counter Threat Unit™ constantly monitors the threat landscape; their insights inform our TDR software and our own security strategy to protect our customers. In addition to monitoring your networks, we are also closely monitoring ours for these most recent threat indicators.
The security community is constantly monitoring, learning from and adapting to threat actor tactics. In our 20 years of experience we have learned that comprehensive, rapid threat detection and response is critically important. Sharing intelligence is also critically important, which is why we make our Threat Actor Profile Reports available to all on our website.
Our team of CTU™ researchers and incident responders remain on alert to help you with these and other threats. Secureworks is committed to strengthening the broader security community and we are focused on protecting our customers and partners from the sophisticated threat actors that target all of us.