Zffoto - stock.adobe.com

DHS CISA Shares Incident Response Tool for On-Prem Threat Activity

The new CISA Hunt and Incident Response Program (CHIRP) tool from DHS is meant to support entities with detection of threat activity and compromise of on-prem environments.

The Department of Health and Human Services Cybersecurity and Infrastructure Security Agency unveiled the CISA Hunt and Incident Response Program (CHIRP) tool, which is designed to support entities detect threat activity within on-prem environments.

CHIRP is a forensics collection tool that will help network defenders find indicators of compromise with two key threat areas: advanced persistent threat (APT) actor attacks tied to the SolarWind compromise and threat activity in Microsoft Cloud environments.

The extent of SolarWinds has continued to expand throughout the first quarter of 2021 impacting hundreds of entities across a range of sectors, including several federal agencies and some of the largest security firms.

Hackers exploited a vulnerability in the Orion platform and trojanized a software update in early 2020. Since then, a number of threat actors have also moved to exploit these flaws with various malware variants, outside of the initial attack vector.

Meanwhile, the Microsoft Cloud attacks are tied to the APT hackers behind the SolarWinds attack, who have been using compromised Microsoft O365 and Azure applications, password exploits, and API access to compromise cloud resources.

CISA alerted to the threat in mid-January, warning that their investigation had revealed these threat actors were able to gain access to victims’ networks by guessing passwords, leveraging password spraying, or exploiting inadequately secured admin credentials -- instead of gaining access through compromised SolarWinds products.

Attackers then used compromised applications within the victim’s Azure or O365 environment, as well as separate credentials and API access to cloud resources in both the private and public sectors.

For both attack vectors, security researchers and CISA have warned that many entities may not know they’ve been compromised, or even that their enterprise is operating with these vulnerabilities.

As such, CISA previously launched an IOC tool to help detect compromises within the cloud. The latest provided tool is specifically meant for on-prem networks.

By default, CHIRP scans for signs of compromise within an on-prem environment, particularly IOCs associated with the malicious activity around SolarWinds threat activities “that have spilled into an on-premises enterprise environment.”

“CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise,” CISA explained. “CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures.” 

“CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity,” they added.

Enterprises can leverage the tool without cost directly from DHS CISA. Officials said they intend to continuously monitor for new threats and will release IOC packages and plugins for new threats, as available.

At its current version, CHIRP looks for the presence of malware identified by security researchers as TEARDROP and RAINDROP, as well as credential dumping certificate pulls, persistence mechanisms tied to the campaign, and system, network and O365 enumeration.

CHIRP is also able to find known observable indicators of lateral movement.

Administrators are urged to leverage CHIRP to examine Windows registry event logs for evidence of intrusion and artifacts tied to SolarWinds activity, as well as to query Windows network artifacts and to apply YARA rules to detect backdoors, malware, or implants.

Given the demand for backdoor access to healthcare networks doubled in 2020, CHIRP could prove invaluable to entities struggling to keep pace with the current threat landscape.

If any abnormal activity is detected, administrators should review and confirm any post-compromise threat activity. CISA noted that it’s provided confidence scores for each IOC and YARA rule to support response efforts.

When a positive hit is confirmed, leaders are encouraged to collect a forensic image of the relevant system and conduct a forensic analysis.

“If an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support,” CISA officials warned. “Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.”

The release provides deep-dive insights and provide answers to what will likely be common questions about the tool’s function. All entities are encouraged to leverage the tool to find and eradicate vulnerabilities and threat actors.

Next Steps

Dig Deeper on Cybersecurity strategies