Memory forensics demo: SolarWinds breach and Sunburst malware

The SolarWinds hack is one of the biggest cybersecurity incidents in recent years. By gaining access to SolarWinds’ network, attackers were able to access the company’s development environment and implant malicious code within updates to SolarWinds’ Orion network monitoring solution. With these malicious updates, the attackers inserted backdoors into the networks of thousands of SolarWinds’ customers, setting the stage for follow-on attacks.

The investigation of the SolarWinds hack was a case study in incident response and teamwork. FireEyes initially discovered and disclosed the incident, and multiple other companies built on their discovery, identifying additional malware variants and infection vectors used alongside the original malware. The reports published by these organizations have created a treasure trove of data for those organizations wishing to learn if they are affected by the hack, and, if so, the scope and impact of the compromise.

Malware detection through memory analysis

Infosec’s principal security researcher Keatron Evans provided a walkthrough on breach detection for companies potentially impacted by the SolarWinds breach on the Cyber Work podcast. He demonstrated a process for identifying indicators of compromise (IoCs) in the memory of a potentially compromised machine.

Step 1: Grab a memory dump

When performing a forensic investigation,

Read More: