Containing A Major Global Security Incident

Just before the Christmas break of 2020, governments and organisations across the globe went into full emergency mode in an attack that has since then been labelled “Solorigate” (also referred to as SUNBURST by FireEye) – one of the biggest and most complex cyber-attacks of all time.

The cyber-attack, largely attributed to a Russian intelligence backed Threat Actor Group called Cozy Bear, employed tactics, techniques, and procedures (TTPs) that were of particular concern to national security.

The USA, believed to be their primary target, in what is being labelled an “unprecedented nation-state attack”, with very high-profile government entities affected such as the Commerce & Treasury department, Centre for Disease Control and the Justice Department.

Top cyber security experts speculate it may take organisations several months to fully understand the extent of the damage Solorigate has caused, including any data affected, identities compromised, or other high-value targets impacted.

The bad guys never sleep, so neither do we

As part of our 24×7 Security Operations Centre (SOC), the team at Quorum Cyber was paying very close attention when the news of Solorigate hit the headlines at around 03:00 am UK time.

While the world digested the news, we immediately began leveraging the power of the Microsoft security stack on their behalf. Our White Team (dedicated to the analysis of strategic threat intelligence) began threat hunting for the threat actor across our customers utilising the cutting-edge Microsoft Azure Sentinel (SIEM) and Microsoft 365 Defender (XDR) technologies.

The first stage was to triage customers who had been affected by the breach, to enable us to quickly quarantine compromised systems and execute Incident Response playbooks.

By isolating affected hosts and implementing enhanced monitoring across related assets, our team was able to have visibility across our customers – all within one hour of the public announcement of Solorigate.

By hour two, the team had issued affected customers a Major Incident Report, detailing exactly what this new threat was, the potential impact this could have had on their business operations, the actions Quorum Cyber undertook on their behalf and a complete breakdown of exactly what the next steps were to ensure full containment and remediation of the threat.

Protected before your first cup of coffee

Experts have speculated that Solorigate laid dormant in environments all over the globe since early Spring and has breached more than 18,000 organisations including the U.S Department of Homeland Security.

By harnessing the power of Azure Sentinel and Microsoft Defender, coupled with our own expert knowledge and skillsets, our team was able to detect, triage, and contain the threat to our customers before they had even learnt about the attack, or had their first morning coffee.

We help good people win

Solorigate provided Quorum Cyber with a unique opportunity to show our customers why we do what we do – we enable our customers to confidently operate in an increasingly hostile digital landscape, reducing risk and defending them against cyber security breaches and attacks.

This is for us what a SOC should be. And this is what is possible through our partnership with Microsoft. Our customers can rest assured, knowing the Quorum Cyber team will always unleash their passion, drive, and determination, combined with the best technology in the world, to keep their organisation safe.

“Recently, I saw the best of Quorum Cyber. While the world was learning about the Solorigate attack, our team started threat hunting across all our customers, harnessing the power of Azure Sentinel and Microsoft Defender.

As this incident has shown us all, cyber attacks and breaches can happen at any moment. For us, closing and submitting a Major Incident Report to our customers before they had even had their first cup of coffee is the absolute epitome of who we want to be, and one of the best ways to demonstrate value.

This is what is possible. This is Azure Sentinel. This is Quorum Cyber.”

– Federico Charosky, Managing Director, Quorum Cyber

“In the face of a sophisticated cyber-attack, such as Solorigate, we are pleased to know that our mutual customers can rely on Quorum Cyber’s Azure Sentinel powered SOC & Microsoft Defender Managed Service to help protect their business, its people, and its customers.

We know that Quorum Cyber will continue to leverage the Microsoft security ecosystem – as well as making its own security expertise and risk mitigation strategies readily available – to help customers hunt, detect and remediate threats like Solorigate.”