{
	"id": "d7c4e306-fddd-498b-af82-218a45d71a74",
	"created_at": "2026-04-20T02:21:05.791026Z",
	"updated_at": "2026-04-20T02:22:27.797105Z",
	"deleted_at": null,
	"sha1_hash": "1dff2b571a7775bfab3f5c1216d5849b82d940b8",
	"title": "Sunburst Hack: Best Practices, Identifying And Mitigating - Check Point Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 93688,
	"plain_text": "Sunburst Hack: Best Practices, Identifying And Mitigating - Check\r\nPoint Blog\r\nBy etal\r\nPublished: 2020-12-21 · Archived: 2026-04-20 02:13:13 UTC\r\nIntroduction\r\nDuring the closing weeks of 2020 a Cyber Security attack became one of the main headline news stories of what\r\nhad already been a news-rich year. Attributed to a campaign that began months earlier, the information security\r\nteams of government agencies and private organizations quickly shifted their focus to a vulnerability in the\r\nSolarWinds Orion solution, which could open a backdoor into organizational communications networks. Dubbed\r\nSunburst, this incident called into question the trustworthiness of the primary technology tools that organizations\r\nuse to manage their corporate technology resources.\r\nAs with any security incident, security practitioners would initially focus on identifying signs of potential\r\nSunburst activities in their networks and systems. From there they would prioritize immediate remediation\r\nactivities. Once these initial efforts were complete, security teams would need to consider broader structural\r\nchanges to their security programs.\r\nThis blog provides information intended to assist with these primary phases and is structured according to the\r\nfollowing flow:\r\n1. A summary of the Sunburst breach\r\n2. Network mitigations\r\n3. Host remediation\r\n4. Additional considerations\r\n5. Potential considerations for longer-term security improvements, including guidance on DevOps, Endpoint\r\nand cloud environments, according to the Zero-Trust Architecture framework\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 1 of 14\n\nSome of the recommendations included in this blog apply to what was known about the Sunburst event at the time\r\nof writing. Check Point will update the document as more information becomes available.\r\nIndividuals interested in speaking with Check Point about Sunburst and other security topics are invited to interact\r\nwith their account teams and to contact Check Point via the contact details listed on its public website at:\r\nhttps://www.checkpoint.com/\r\nAbout the Sunburst event\r\nOn the 8th of December 2020, FireEye, a US-based Cyber Security company, notified the market that it was\r\nattacked by what the company believed was a nation-state actor who gained access to some of FireEye’s Red\r\nTeam tools.\r\nFive days later, on the 13th of December 2020, reporting in major US news outlets indicated that US government\r\nagencies had been breached in what appeared to be a complex Cyber Attack, and on that same day the US Cyber\r\n\u0026 Infrastructure Security Agency (CISA) issued an emergency directive to all US Federal civilian agencies to\r\n“review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products\r\nimmediately.”\r\nThe CISA notification was followed by a SolarWinds filing with the Securities and Exchange Commission (SEC).\r\nThat filing noted that SolarWinds was made aware of a “cyberattack that inserted a vulnerability within its Orion\r\nmonitoring products which, if present and activated, could potentially allow an attacker to compromise the server\r\non which the Orion products run.”\r\nSolarWinds Orion\r\nSolarWinds Orion is an enterprise software suite that includes performance and application monitoring and\r\nnetwork configuration management. SolarWinds Orion is used to monitor and manage on-premise and hosted\r\ninfrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is\r\ncommon for network administrators to configure SolarWinds Orion with pervasive privileges, making it a\r\nvaluable target for adversary activity.\r\nAccording to the Cybersecurity and Infrastructure Security Agency (CISA), the SolarWinds Orion export,\r\nSunburst, was a supply chain attack that compromised and impacted several U.S. government agencies, critical\r\ninfrastructure entities. The incident also affected private sector organizations using an advanced persistent threat\r\n(APT) attack that started in March 2020.\r\nAccording to the CISA’s analysis, the threat actor added a malicious version of the binary\r\nsolarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by a\r\nlegitimate SolarWinds code signing certificate.\r\nThe compromised binary, once installed, calls out to a victim-specific avsvmcloud.com domain using a protocol\r\ndesigned to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the hacker can use the Domain\r\nName System (DNS) response to selectively send back new domains or IP addresses for interactive command and\r\ncontrol traffic (C\u0026C).\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 2 of 14\n\nSolarWinds Orion typically uses a significant number of highly privileged accounts to perform normal business\r\nfunctions. Successful compromise of one of these systems can therefore enable further action. Consequently,\r\nentities that observe traffic from their SolarWinds Orion devices to avsvmcloud.com should not immediately\r\nconclude that the hacker leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into\r\nwhether the SolarWinds Orion device engaged in further unexplained communications.\r\nAccording to the CISA advisory, the following SolarWinds Orion products were impacted:\r\nOrion Platform 2019.4 HF5, version 2019.4.5200.9083\r\nOrion Platform 2020.2 RC1, version 2020.2.100.12219\r\nOrion Platform 2020.2 RC2, version 2020.2.5200.12394\r\nOrion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432\r\nBroader significance of the incident\r\nAmong the next steps that the attacker took after establishing the initial foothold was to compromise the Security\r\nAssertion Markup Language (SAML) signing certificate using escalated Active Directory privileges. Once this\r\nwas accomplished, the hacker created unauthorized but valid tokens (token id) and presented them to services that\r\ntrust SAML tokens from the environment. These tokens can then be used to access resources in hosted\r\nenvironments, such as email, for data investigation and exfiltration via authorized application programming\r\ninterfaces (APIs).\r\nSAML is used by many business applications, including:\r\nSaaS Applications that requires SAML for single-sign-on (Business Applications, Email Services e.g.)\r\nFile storage services (such as SharePoint, OneDrive for Business)\r\nKubernetes and Containers environments that requires Active directory\r\nThese types of solutions are important for espionage and data collection efforts. Access to email and file\r\nrepositories provides visibility into troves of interesting communications and content.\r\nMITRE ATT\u0026CK® Techniques used in Sunburst attack\r\nThe MITRE ATT\u0026K® framework helps provide context to the Sunburst campaign. The following represent\r\nknown tactics and techniques:\r\nQuery Registry [T1012]\r\nObfuscated Files or Information [1027]\r\nObfuscated Files or Information: Steganography [T1027.003]\r\nProcess Discovery [T1057]\r\nIndicator Removal on Host: File Deletion [T1070.004]\r\nApplication Layer Protocol: Web Protocols [T1071.001]\r\nApplication Layer Protocol: DNS [T1071.004]\r\nFile and Directory Discovery [T1083]\r\nIngress Tool Transfer [T1105]\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 3 of 14\n\nData Encoding: Standard Encoding [T1132.001]\r\nSupply Chain Compromise: Compromise Software Dependencies and Development Tools [ [T1195.001]\r\nSupply Chain Compromise: Compromise Software Supply Chain [T1195.002]\r\nSoftware Discovery [T1518]\r\nSoftware Discovery: Security Software Discovery [T1518.001]\r\nCreate or Modify System Process: Windows Service [T1543.003]\r\nSubvert Trust Controls: Code Signing [T1553.002]\r\nDynamic Resolution: Domain Generation Algorithms [T1568.002]\r\nSystem Services: Service Execution [T1569.002]\r\nCompromise Infrastructure [T1584]\r\nSecurity practitioners interested in reviewing comprehensive lists of indicators of compromise can find them in\r\nmultiple online publications. The CISA alert referenced below is one such example.\r\nThis event continues to evolve and researchers are providing updated information on a regular basis. The\r\nfollowing sources provide relevant background:\r\nCheck Point blog post: https://blog.checkpoint.com/2020/12/16/solarwinds-sunburst-attack-what-do-you-need-to-know/\r\nCISA alert (AA20-352A): https://us-cert.cisa.gov/ncas/alerts/aa20-352a\r\nFireEye research: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\nMicrosoft publication: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nMitigations in the network\r\nAn appropriate first step in identifying presence of malicious activity within the corporate environment is to\r\nanalyze network traffic for potential attack indications. Relevant functions that can assist in this effort include:\r\nsignature and heuristic analysis of potential malware, identification of outbound command and control traffic\r\ninvolved in the attack process and intrusion prevention signatures for signs of potential exploit. The easiest way to\r\nleverage such capabilities is to activate protections within security technologies operating in the network.\r\nCheck Point gateways include an array of technologies that can assist with network-level remediation and\r\ninvestigation efforts. Customers with gateways (physical and virtual) who are licensed for Next Generation\r\nFirewall (NGFW), Next Generation Threat Prevention (NGTP) or Next Generation Threat Prevention and\r\nSandBlast (SNBT or what was previously known as NGTX) need only update their protection packages or\r\nactivate automatic updating to protect their networks from elements of the Sunburst attack:\r\nProtection Software Blade License Bundle\r\nTrojan.Win32.SUNBURST.TC.XXX Anti-Virus NGTP/SNBT\r\nHackTool.Wins.FE_RT.A\u003cXX\u003e Threat Emulation SNBT\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 4 of 14\n\nBackdoor.Win32.SUNBURST.XX Anti-Bot NGTP/SNBT\r\nBackdoor.Win32.Beacon.\u003cA-H\u003e Anti-Bot NGTP/SNBT\r\nSunburst Backdoor Suspicious Traffic (CPAI-2020-1309) IPS NGFW/NGTP/SNBT\r\nCheck Point will continue to update its indicators and to add more identifiers as they become available. These will\r\nbe added to Check Point’s ThreatCloud platform on a real-time basis.\r\nAutomated event analysis\r\nCritical to Sunburst remediation efforts is the ability to find evidence of impact quickly. Automated event analysis\r\ntools play an important role in such investigative efforts. Check Point makes this possible with its InfinitySOC\r\nsolution.\r\nCheck Point researchers have integrated publicly available Sunburst indicators as well as proprietary intelligence\r\ndata into InfinitySOC. Administrators can leverage the cloud-based platform to search for Sunburst indicators\r\nwithin network, cloud and endpoint environments. The solution also provides event investigation tools to drill-down into findings to validate and plan remediation steps.\r\nIn the following screenshot we see identified Sunburst indicators with their corresponding addresses, associated\r\nrisk levels attack family association. In addition we see timeline charts that represent the number of connections to\r\nthe Sunburst indicators.\r\nInformation on InfinitySOC is available via Check Point’s website\r\nAutomated Sunburst logging\r\nThe logging and reporting functions built-in to Check Point’s management suite have also been updated to search\r\nfor Sunburst indicators. Organizations can leverage their existing management platforms to query log data for the\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 5 of 14\n\nknown indicators.\r\nSecurity CheckUp\r\nCustomers who do not employ Check Point network protections or are not licensed for these capabilities can\r\nleverage a quick assessment process called Security CheckUp. This process does not impact production traffic.\r\nTo perform a Security CheckUp, an organization would work with a Check Point engineer to install a security\r\ngateway on a mirror port or elsewhere in the network. Once in-place, the activated device will immediately\r\ngenerate event data associated with the Sunburst attack and other threats.\r\nInformation on how to run a Security CheckUp is available on the Check Point website\r\nThe host: a primary target\r\nAs covered in multiple descriptions of the Sunburst attack (see section “About the Sunburst event” above), a\r\nprimary vector used in this attack was a vulnerability that was inserted into the SolarWinds Orion platform,\r\nspecifically vulnerable versions noted earlier in this document. The installation of these updates on the server\r\nincluded a file, SolarWinds.Orion.Core.BusinessLayer.dll, backdoor that the attacker would use to connect to the\r\nserver and initiate additional changes. As with any security incident targeting a server or computer, such changes\r\nmight include modification to directories and files or configuration elements. Depending on where an attacker is\r\nin her or his timeline, such changes can become indicators of an attack in progress. Or, if an attacker was\r\ninsufficiently adept at cleaning her or his tracks, these modification can also be used to identify if a machine was\r\ncompromised.\r\nWhile certainly standard practice, it is important to note that organizations should never take the protection of\r\nservers and computers for granted. Thus, even though this specific attack would have bypassed traditional server-level access control and malware prevention, the success of this attack does not mean that best practices based on\r\nleast privilege and host-based threat prevention are no longer relevant. Indeed, in some ways, these sort of events\r\nremind us that fundamental security controls are more important today than ever before.\r\nThreat hunting\r\nA crucial first step in identifying affected machines is to establish visibility into events affecting servers and\r\ncomputers. These would include changed files, activated processes, changes to system registry and network\r\nactivity entering and leaving potentially impacted machines.\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 6 of 14\n\nOrganizations should also perform full forensics evaluation of an Orion server’s storage devices, which can only\r\nbe performed after taking the server offline.\r\nCheck Point provides powerful solution to assist with assessment efforts of threats targeting servers and\r\ncomputers. The company’s SandBlast Agent includes a unique Threat Hunting capability that provides detailed\r\nvisibility into infected assets and correlates such activity with the MITRE ATT\u0026CK™ Framework. The solution\r\nalso include attack diagnostics and remediation capabilities that enable administrators and incident response teams\r\nto triage and resolve attacks quickly.\r\nActivating Threat Hunting is a very simple process. An administrator would open the user interface,   access either\r\nthe “Threat Prevention” or “Forensics” tabs of the “Policy” section and toggle the “Threat Hunting” switch to\r\n“On.” From there the only additional required step is to save the policy change and install it on the management\r\nserver.\r\nOnce this change has been made, SandBlast Agents operating within the environment will populate data into the\r\nThreat Hunting interface, which administrators can use to hunt for related events.\r\nAs shown in the screenshot below, and since the initial announcement of the Sunburst attack, Check Point has\r\nupdated the pre-defined queries of the Threat Hunting solution to look for Sunburst indicators automatically. This\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 7 of 14\n\nis intended to simplify the search for indicators of Sunburst activity and to enable organizations to rapidly\r\ndetermine risk levels and define remediation plans.\r\nInformation on SandBlast Agent is available on the Check Point public website at:\r\nhttps://www.checkpoint.com/products/advanced-endpoint-protection/. Customers interested in activating the\r\nThreat Hunting capabilities of the solution can follow the simple steps outlined in the document entitled,\r\n“SandBlast Agent Threat Hunting Onboarding,” which is available on Check Point SecureKnowledge repository\r\n(SK: 170052).\r\nAdditional considerations\r\nOrganizations impacted by the Sunburst incident reported malicious activity targeting Security Assertion Markup\r\nLanguage (SAML) use cases. It is therefore critical to consider a series of practical changes to SAML practices,\r\nincluding:\r\n1. Strengthen credentials by enforcing multi-factor authentication for users and devices\r\n1. Avoid long SAML token durations, for example to a time-limit of no longer than one hour\r\n2. Monitor tokes for identical timestamps, which would indicate abnormal behavior\r\n3. Look for tokens that have associated logins with user accounts within an hour of the token’s initial\r\ngeneration\r\n2. Monitor all services for unusual sign-ins, changes to tokens or keys\r\n1. Considering the nature of the Sunburst attack, potentially pay special attention to Office365\r\n3. Reset/replace/re-issue all sensitive API key integrations, such as those leveraged by multi-factor, SAML\r\nintegrations, website configuration files and others\r\n4. Look for network specific artifacts, especially API calls that reference cloud assets and services\r\nShould the SolarWinds Orion solution continue to be used, it is imperative that organizations:\r\n1. Reset all credentials used by or stored in SolarWinds software\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 8 of 14\n\n2. Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors\r\nand assume that further persistence mechanisms have been deployed\r\n3. Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources\r\nCoverage of the Sunburst incident suggested that cloud-based services were among the primary targets of the\r\nthreat actors. As organizations move more services to cloud, it is becoming increasingly important to understand\r\npotential risks to Infrastructure as a Service (IaaS) implementations.\r\nCloud security posture management (CSPM) solutions can be beneficial to quickly identify potential deviance\r\nfrom best practice. They include out-of-the-box regulatory compliance and best practice assessment tools. These\r\nreview configuration settings within cloud systems and highlight areas of concern in how applications and\r\nservices interact within cloud environments.\r\nThe Check Point CloudGuard CSPM offering provides a rich array of such assessment frameworks, including\r\nautomated assessments based on the Azure CIS Foundation v. 1.1.0, including inspections for multi-factor\r\nauthentication and other critical identity and access management (IAM) considerations.\r\nInformation on Check Point’s CSPM offering is available online\r\nGoing forward: lessons learned and next steps\r\nSecurity incidents present an opportunity to reevaluate and improve information security programs\r\ncomprehensively. They show us threat vectors that we previously might have overlooked and raise awareness\r\nacross the organization to the need to improve existing or implement new controls.\r\nIn light of the critical nature of the Sunburst attack, Check Point recommends that organizations take a number of\r\nsteps that potentially can be beneficial in reducing future risk, including:\r\n1. Security Architecture – consider aligning security programs to the Zero-Trust model, which embraces\r\nmacro and micro segmentation of network to block lateral malware movement (East-West) within the\r\nnetwork, data center domain and cloud\r\n2. Advanced Threat Prevention – all environments should be protected with deep packet inspection\r\ntechnologies and protections for persistent and complex threat vectors, which would include Next\r\nGeneration firewalling to protect network segments and workloads in the virtual fabrics (e.g. VMWare,\r\nPublic IaaS)\r\n3. Cloud workload protection – Kubernetes/Container nodes should be protected with (Cloud Workload\r\nProtection Platform (CWPP) functions, such as: network access control, Anti-Bot, CloudBots, Anti-Virus\r\nand Sandboxing\r\n4. DevSecOps – ensure that software development environments are assured by a security posture\r\nmanagement solution (CSPM) along with CI/CD pipeline development processes that incorporate threat\r\nhunting analysis and source code scanning, including library verification when downloaded from external\r\nresources\r\n5. Endpoint – as a main target and attack vector, endpoint security should be viewed within the context of\r\nZero Trust Network Access (ZTNA) and endpoint protections need to be enriched with next generation\r\nprotections\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 9 of 14\n\nThe following sections provide additional detail on elements of the above recommendations.\r\nArchitectural considerations\r\nConsidering the lateral movement elements of the Sunburst attack, an assessment of existing network\r\nsegmentation practices would be very relevant. This would include ensuring that network-level access control\r\nenforces segmentation according to the principles of least privilege. Core functions and critical data repositories\r\nshould be firewalled from other parts of the network with strict rules that limit user, network and application\r\naccess only to the bare minimum of resources. In addition, traffic flows should be controlled to prevent access\r\nfrom Internet-connected systems, even those that require periodic connections to vendor software updates.\r\nFor organizations that have moved much, or are in the process of moving their services to Azure-specific\r\ninstances, Check Point recommends a security architecture approach that leverages multiple layers of protection.\r\nThis approach incorporates:\r\nAdvanced threat prevention across the environments and between Azure and private data centers\r\nMacro and micro-segmentation within the Azure IaaS functions\r\nAccess control according to a hub and spoke design\r\nCentralized security policy management within the cloud or on premise\r\nCloud security posture management\r\nCloud-delivered threat prevention for user traffic to SaaS applications and general Internet traffic\r\nAPI-level inspection for rogue connections and embedded threats\r\nAutomated forensics of host and user events and threats\r\nThe below diagram summarizes the above points into a network topology. More information on this design\r\nrecommendation is available on the Check Point webiste’s best practices section, at:\r\nhttps://www.checkpoint.com/architecture/security-best-practices/.\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 10 of 14\n\nCloud Native Application Protection Platform\r\nBesides countermeasures to detect and mitigate challenges presented by attacks such as Sunburst, organizations\r\nshould also consider augmenting their methods for ensuring code integrity. With the possibility of “Copy Cat”\r\nattacks and the accelerated development timelines associated with cloud technologies and CI/CD practices, the\r\nrisk of future Supply Chain attacks making their way into new software packages is especially relevant.\r\nThe diagram below, which was proposed by Gartner, provides a unified overview with multiple security control\r\nareas. The concept building blocks are Cloud Security Posture Management, Cloud Workload Protection Platform\r\nand Cloud Network Security.\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 11 of 14\n\nCI/CD pipeline security\r\nThese recommendations can also be applied to the CI/CD pipeline. Code-level vulnerabilities can be identified\r\nthrough code analysis, containers can be assessed with associated elements, such as the libraries used in the\r\ndevelopment process, and application monitoring can be performed with advanced automated methods.\r\nSunburst teaches us that attackers can maintain persistence for extended periods of time. It therefore is\r\nincreasingly important to consider control plane protections. These mechanisms could be implemented with\r\nadmission controllers and runtime engines, which include advanced and modern technologies such as Machine\r\nLearning and Artificial Intelligence for behavioral analysis.\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 12 of 14\n\nThe suggested approach incorporates:\r\nSecure application development: ensure proper logging, static, dynamic and interactive application security\r\ntesting (SAST/DAST/IAST) of code and dependencies\r\nConfiguration and settings: implement reliable secrets management (ConfigMaps only for insecure data,\r\nsecret resources for sensitive information/credentials), mount secrets as volumes and not environment\r\nvariables\r\nGovernance: Use pod security policies (disable privileges, use read-only file systems), enforce network\r\npolicies, use Role-Based Access Control (RBAC)\r\nPosture management: reference CIS Kubernetes Benchmark, NIST.SP.800-190 and others\r\nSuggested Architecture for Kubernetes environments\r\nWith corporate systems quickly moving to container-based approaches, the need for cloud native protection\r\nstrategies has become more critical. Check Point recommends considering a Zero-Trust approach to protecting\r\nKubernetes environments. Following this approach would isolate development, testing and production\r\nenvironments, including limiting and inspecting traffic between services (namespaces) as much as possible.\r\nThe security organization needs to play a role in cloud and agile development. It needs to ensure that standards\r\napply and that protections exist for risky communications. DevOps and DevSecOps partner with security to\r\nmanage platforms and application tiers\r\nOrganizations interested in working with Check Point on understanding a secure transition cloud-driven\r\ntechnology strategies can participate in the company’s unique security architecture workshop program.\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 13 of 14\n\nInformation on this unique service can be obtained through their Check Point account team or online at:\r\nhttps://www.checkpoint.com/support-services/security-workshop/.\r\nCustomer can also reference more detailed architectural recommendations on the Check Point best practice site,\r\nat: https://www.checkpoint.com/architecture/security-best-practices/.\r\nSummary\r\nWhile much about the SolarWinds Sunburst and related attack activities remain unknown, available information\r\nsuggests the involvement of a highly capable nation-state actor who was able to build a Supply Chain attack that\r\nimpacted many high profile organizations.\r\nThe tactics employed by the threat actor successfully bypassed the security precautions of sophisticated security\r\nteams. Nevertheless, this event serves as an opportunity for security practitioners to leverage the event to learn\r\nlessons and identify opportunities to improve security strategies.\r\nOutlined in previous pages were practical steps that organizations can take to identify and mitigate the effects of a\r\nSunburst incident. The guidelines above remind us that the traditional security practices of least privilege and\r\nsegmentation can reduce the potential impact of even the most advanced attacks. In addition, automated analysis\r\nand advanced threat prevention techniques arm us with new capabilities to identify potential attacks and respond\r\nto them more quickly than ever before.\r\nSource: https://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nhttps://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/"
	],
	"report_names": [
		"best-practice-identifying-and-mitigating-the-impact-of-sunburst"
	],
	"threat_actors": [],
	"ts_created_at": 1776651665,
	"ts_updated_at": 1776651747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1dff2b571a7775bfab3f5c1216d5849b82d940b8.pdf",
		"text": "https://archive.orkl.eu/1dff2b571a7775bfab3f5c1216d5849b82d940b8.txt",
		"img": "https://archive.orkl.eu/1dff2b571a7775bfab3f5c1216d5849b82d940b8.jpg"
	}
}