Threat Hunting Use Case (Video): Sunburst Malware

Sunburst malwareThe SolarWinds attack, disclosed by security firm FireEye and Microsoft in December, may have breached as many as 18,000 government and private sector organizations. It has been characterized as the largest and most sophisticated cyber attack the world has ever seen, and was made possible by the Sunburst malware the attackers implanted in legitimate digitally signed DLL files in SolarWinds’ Orion update packages.

ThreatConnect engineer Alexi Valencia has produced a new video that breaks down how the Sunburst attack worked and offers critical insights into how a combination of focused dashboards, automated threat hunting and workflow within ThreatConnect can help threat intelligence analysts and incident responders streamline response processes when Sunburst or other incidents like it occur.

Let’s take a look at a helpful dashboard, which tracks Sunburst malware specific intelligence across all available Intel sources and provides updated counts of pertinent intelligence items, such as incidents, signatures, adversaries, and threats. As new relevant intelligence becomes available, analysts can track things like new incidents and reports specific to Sunburst related tags, as well as any reported indicators of compromise.

Using ThreatConnect to Automate Threat Hunting in Response to the SolarWinds Compromise


Dan Verton
About the Author
Dan Verton

Dan Verton is ThreatConnect's Director of Content Marketing. Dan is an award-winning journalist and a former intelligence officer in the U.S. Marine Corps. He has authored several books on cybersecurity, including the 2003 groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill) and The Hacker Diaries: Confessions of Teenage Hackers (McGraw-Hill). He has a Master of Arts in Journalism from American University in Washington, D.C.