CISA Hunt and Incident Response Program i.e CHIRP is a new tool released by CISA to spot and identify any malicious operations as an aftermath of the SolarWinds Cyberattack.

Massive SolarWinds cyberattack:

To the unaware, the SolarWinds hacking attack is cited as the biggest cyberattack of the 21st century, with over 30,000 organizations directly impacted by the cyber-onslaught.

A leading software company providing IT infrastructure network and monitoring services all around the globe, the SolarWinds cyberattack stemmed from one of the organization’s widely-implemented IT performance monitoring software called the Orion software.

Over 30,000 private as well as government organizations enforcing the Orion network management system to manage their IT resources were compromised in the massive supply-chain hacking attack. Thousands of organizational systems, networks, and data were compromised as a consequence of SolarWinds unwittingly delivering the backdoor malware as an update to the Orion software.

What is CHIRP:

Detailing their brand new development, CISA has provided that CHIRP is a Python-based tool that engages in the forensic collection of IOCs i.e. Indicators of Compromise.

This in turn will assist network defenders in discovering malicious operations directly linked to the SolarWinds and Active Directory/M365 Compromise. 

CISA has also supplemented the working process of CHIRP stating that it is similar to Sparrow which is a tool recently developed to help network defenders detect possible compromised accounts and applications in the Azure/M365 environment.

In an equivalent manner, CHIRP will also scan for signs of APT compromise within the onboarded organizations.

“In this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment.”

CHIRP operations:

After a scan is executed by CHIRP, JSON configured data is then broadcasted for the further advancement of SIEM analysis or similar tools’ analysis.

When implemented, CHIRP inspects the Windows event logs for artifacts linked to the cyberattack, the Windows Registry for evidence of intrusion, the Query Windows network artifacts as well as applies YARA malware, backdoors, and implants detection tools.

CHIRP is now freely available on the CISA GitHub repository.