- February 10, 2021: More details on how Public Disclosures are attributed to a company.
- January 8, 2021: Added “How are Other Disclosure findings attributed to a company?” question; Added reference to data confidence levels.
- December 23, 2020: Published.
Learn more about the SolarWinds attack.
- How is Bitsight able to determine if a company is a SolarWinds user?
- How are Public Disclosures based on DNS data attributed to a company?
- How do incidents like the SolarWinds attack impact a company’s Bitsight Security Rating?
- Why do the Service Provider and Product portfolio filters yield lower confidence results?
How is Bitsight able to determine if a company is a SolarWinds user?
Refer to the confidence level in the data while determining a company’s level of exposure. We mark our confidence as either “high confidence” or “potential,” as in the examples below.
You can discover exposures of high confidence by using the Software filter in your portfolio. This identifies SolarWinds Orion Configuration Manager web administration interfaces that are exposed to the Internet. When SolarWinds Orion has been detected using this method, there is greater confidence that the organization is using the product. However, exposing the web administration interface to the Internet is not standard practice. An organization may still be using SolarWinds Orion even if we do not detect it.
You can discover potential exposure by using the Service Provider and Products filters in your portfolio. Data are collected via Natural Language Processing of web scraped data, with sources including job postings, resumes, and government filings. We can identify SolarWinds as a Service Provider and Orion Network Configuration Manager as a Product based upon mentions in these sources.
Given the nature of the data source documents used to identify relationships, you will possibly encounter third parties that are shown to have Orion Network Configuration Manager, but no longer use that product or have not used that product. There may also be additional organizations using Orion Network Configuration Manager that have not been identified by this approach.
In the case of SolarWinds/Orion Network Configuration and fourth parties in general, we recommend using this data to drive prioritization and encourage validating any usage of a particular fourth party service provider that may be of concern.
Learn more about our network mapping process.
How are Public Disclosures based on DNS data attributed to a company?
The Sunburst malware used a subdomain domain generation algorithm (DGA) to encode information about the affected organization as part of the hostname used to contact the command and control server (C2 server). This information included the local systems Active Directory domain that was configured on the system. This is often an internal corporate real or arbitrary label or could be representative of a legitimate domain name that we are able to use to attribute the observation to an organization.
If you would like to know more about Sunburst and how the research community decoded the DGA domain, we recommend the following reading:
Netresec, “Reassembling Victim Domain Fragments from SUNBURST DNS”
How do incidents like the SolarWinds attack impact a company’s Bitsight Security Rating?
Why do the Service Provider and Product portfolio filters yield lower confidence results?
Importance of 4th party products takes the aggregate importance of all assets attributed to the organization where Orion Network Configuration Manager is used, as well as qualitative data that we use to deduce on which specific asset or assets it’s installed. The Bitsight platform makes certain conservative assumptions that often result in an underestimation of the product importance to the organization.
Learn more about asset importance.