NetWitness Community

As you’ve surely seen, a recently discovered supply chain attack has impacted numerous organizations including corporations, government agencies, and nonprofits.  Information continues to emerge about the massive scope and scale of this attack and related threats.  Unfortunately events like these illustrate that none of us are immune to attacks, especially when conducted by sophisticated threat actors associated with nation-states.

This post is to keep you informed of RSA’s response to this developing situation.  Here’s what we can report:

• At this point, our investigation has determined that neither RSA nor RSA products use the SolarWinds Orion software affected by the SUNBURST vulnerability announced on December 13th, 2020. RSA will continue coordinating with SolarWinds and our vendors on implementing any appropriate countermeasures and monitoring for appropriate indicators.
• We are maintaining surveillance of the news and forensic archives regarding the SUNBURST attack on FireEye, which resulted in the theft of its “Red Team” tools for identifying vulnerabilities.  We have implemented countermeasures for the indicators of compromise (IoCs) identified by FireEye within RSA NetWitness Platform, as well as other security tools we use internally.

Diving deeper, the links below outline the approach our teams are taking – many of which are deployable to our RSA NetWitness Network and Endpoint tools. We are publicly offering this information to all, including organizations that don’t have RSA NetWitness Network or Endpoint, so that anyone can transpose/map this content into their detection tools.

RSA Link (login may be required):

• General Security Advisories and Statements
• Statement and FAQs regarding FireEye breach & SolarWinds vulnerability
• FireEye Breach - Implementing Countermeasures in RSA NetWitness
• FireEye Breach -- Stages of the Attack
• Profiling Attackers Series | RSA Link

There’s also the CVE data included in the GitHub repository that identifies which vulnerabilities these tools were levied against.

• FireEye Red Team Tool Countermeasures

As always, RSA stands with the cybersecurity industry and our customers in defending against malicious actors like the ones behind this major attack.  If you have questions or concerns, or would like to speak with our technical teams, please let us know and we will coordinate efforts.