How Elastic security aims to protect you from the SolarWinds SUNBURST compromise

Elastic protects you from the SolarWinds SUNBURST compromise

Information regarding The SolarWinds Orion SUNBURST backdoor attack was released on December 13th. It is a sophisticated attack that leverages many different techniques.

There are a large number of IoCs (Indicators of Compromise) reported already publicly, indicating the advanced and complicated nature of the threat.

Even through information as to how the attacker has managed to infiltrate its malicious code into SolarWinds clients is still limited the identified behaviours following the execution of the malware are in line with Command and Control actions.

Elastic has acted quickly to provide multiple additional protections, free of charge, covering the full scope of the attack as far as is currently known. This scope will continue to grow as further analysis of compromised systems takes place. Elastic has given its commitment to continue updating as further details come to light.

First and foremost it has deployed an update to its machine learning powered malware detection scoring algorithm and added known comprised SolarWinds software hashes to its blocklists

Elastic Security detection rules deployed as standard already provide protections for a number of identified behavioural tactics:

In addition Elastic is releasing a number of additional rules to combat specific SUNBURST identified behaviours

Sofecta is also reacting by releasing SUNBURST related IP and hostname blocklists which we have collected for inclusion in our SAAS customers’ Indicator Detection rules. Furthermore we are offering to our customers an ‘early warning rule’ to alert based on installed SolarWinds clients, in the event that staff have installed the software outside of a broader installation policy or consent.

Contact us for more information

Written by: Alex Hutchinson Certified Elastic Engineer and Software Architect



Related news