Next-Gen DFIR: Mass Exploits & Supplier Compromise

Conference:  BlackHat USA 2021



The presentation discusses the need for evolving incident response in the face of recent mass zero-day and supply chain exploitations in cybersecurity. It emphasizes the importance of threat intelligence, threat hunting, and effective response strategies.
  • Recent hacks like the Casseya RMM exploit and SolarWinds attack highlight the need for evolving incident response
  • Supply chain attacks and mass zero-day exploits have similarities in response strategies
  • Threat intelligence is crucial in identifying key software products and suppliers, monitoring threat intelligence sources, and vetting security firms and researchers
  • Threat hunting requires obtaining reliable indicators of compromise, using structured formats like YARA or STIX, and planning ahead for effective response
  • The SolarWinds attack was particularly challenging due to its nation-state origin, difficulty in obtaining indicators of compromise, and ripple effects throughout the technology ecosystem
The SolarWinds attack involved a backdoor in the Orion network monitoring software, which was widely used by organizations around the world. Criminals had installed the backdoor to approximately 18,000 customer networks, including information technology companies. The malware was designed to evade detection and analysis, making threat hunting incredibly difficult. The attack was attributed to a Russian state-sponsored hacker group, and its ripple effects are expected to create risk throughout the entire technology ecosystem for years to come.


There’s been a spike in major incidents and widespread DFIR disasters involving both service providers (such as MSPs and cloud providers) as well as software providers (such as SolarWinds, Microsoft, and Accellion). Responders have little visibility and often find out about vulnerabilities, exploits, and backdoors far too late. In this fast-paced talk, we'll dissect real “next-gen” DFIR cases and how to adapt your response processes to meet today’s global threats. This will include a walkthrough of a SolarWinds case, including threat intelligence and threat hunting, which were the keys to an effective response. We'll analyze a recent Exchange exploitation case where multiple cybercriminal gangs hacked into the server, both before and after the vulnerability was made public. We'll discuss the FBI's court-approved removal operation and the implications of pre-emptive access by law enforcement to private servers on a mass scale. Finally, we’ll analyze an MSP hacking case, where criminals leveraged the Revil ransomware to hold over 100 clinics hostage. We are on the precipice of seeing major changes to standard response best practices. All of us need to expand DFIR processes to account for mass 0-day exploits and supplier compromises. This includes strategies for threat intelligence, methods for obtaining early information about a potential incident, obtaining and vetting IoCs, risk evaluation strategies, and more. We also need to integrate threat hunting into response operations and prepare for potential unexpected law enforcement access to systems. Join us and get practical strategies for adapting your DFIR response best practices to reflect today’s increasingly interconnected threat landscape.