CISA Unveils New On-Premise Threat Detection Tool

The Cybersecurity and Infrastructure Security Agency has introduced a new threat detection tool for on-premise environments.

The CISA Hunt and Incident Response Program tool is built to find indicators of compromise linked to the exploitation of vulnerabilities in SolarWinds Orion products and threat activity in Microsoft Cloud environments.

Security researchers and CISA warned that many entities may be operating with these vulnerabilities, allowing threat actors to slip undetected into their networks, Health IT Security reported.

Vulnerabilities tied to the SolarWinds Orion platform, which were first disclosed in December, continue to put several entities at risk of compromise well into 2021.

CISA identified the same threat actors behind the SolarWinds hack as the culprits of the recent Microsoft Cloud attacks. In a January alert, the agency cautioned organizations of threat activity in Microsoft 365 and Azure Applications, with threat actors attempting to gain access to cloud resources through methods like password guessing and spraying.

According to CISA, CHIRP has plugins to search through event logs and registry keys. It can also look for signs of advanced persistent threat tactics, techniques and procedures.

“CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity,” the agency said.

Officials noted that the forensics collection tool may receive new IOC packages and plugins to address emerging threats.

Users of the new tool are encouraged to look into Windows registry event logs for IOCs tied to SolarWinds activity and to apply YARA rules to detect backdoors, malware or implants.

Upon the discovery of a potential intrusion, users are urged to collect a forensic image of the relevant system and carry out a forensic analysis.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now