CISA Issues Guidance on Evicting Adversaries from Networks Following SolarWinds Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on evicting threat actors from networks compromised in the SolarWinds Orion supply chain attacks and, including subsequent compromises of Active Directory and M365 environments.

The attacks have been attributed to threat actors tied to the Russian Foreign Intelligence Service (SVR). After gaining network access through the update mechanism of SolarWinds Orion, the threat actor selected targets of interest for further compromise and bypassed multi-factor authentication methods and moved laterally into Microsoft 365 environments by compromising federated identity solutions. Most of the targets selected for further compromise were government departments and agencies and critical infrastructure organizations, although private sector organizations may also have experienced more extensive compromises.

The guidance applies to evicting adversaries from on-premises and cloud environments and includes a 3-phase remediation plan. CISA notes that malicious compromises are unique to each victim, so careful consideration must be given to each of the steps and the guidance then applied to the unique environment of each breached entity to ensure success.

All three phases are required to fully evict an adversary from either on-premises or cloud environments, so shortcuts should not be taken. The failure to follow all steps could result in substantial, long-term undetected Advanced Persistent Threat (APT) activity, prolonged theft of data, and erosion of public trust in victims’ networks.

The guidance provides the plan for evicting adversaries from a network, but does not provide specific details on how the required actions should be taken.

Any attempt to evict an adversary from the network requires a pre-eviction phase, an eviction phase, and a post-eviction phase. The pre-eviction phase is concerned with confirming tactics, techniques, and procedures (TTTPs) associated with the attacks and fully investigating the true scope of compromise. During the remediation process, steps will be taken to improve security and build more resilient networks; however, the eviction process is complex, time-consuming, and will require business networks to be disconnected from the Internet for 3-5 days.

A thorough risk assessment must be conducted prior to any eviction attempt to understand the potential impacts on critical business functions. There will likely be disruption to business operations, so it is essential that the remediation efforts are properly planned, the impact on the business is fully understood, and appropriate resources are made available to limit disruption.

After completing all eviction steps, entities enter into the post-eviction phase which involves confirming the adversary has been evicted. This phase includes integrating detection mechanisms, configuring endpoint forensics and detection solutions for aggressive collection, and maintaining vigilance, with steps taken over the 60 days after completing the eviction phase.

“In the hours, days, and weeks after the network’s internet connection is restored, the agency’s detection capability will be important in verifying that all threat actor activity within the enterprise has stopped,” explained CISA. “Extended vigilance is necessary because this threat actor has demonstrated extreme patience with follow-on activity.”

CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise can be found on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.