The Cybersecurity and Infrastructure Security Agency (CISA) has published Eviction Guidance to help organizations affected by the cyber intrusion campaigns aimed at SolarWinds Orion and Microsoft Office365 environments to reduce a risk that a threat attacker may retain a foothold in their networks and help organizations to evict hackers from their networks.
While the guide is directed at federal agencies, CISA said that critical infrastructure entities, state, local, territorial, and tribal government organizations, and private sector organizations should also review and apply it, as appropriate.
Remediation plans detailed by CISA include actions to detect and identify adversary activity within the network, steps to remove the attacker from on-premises and cloud environments, and actions to ensure that the eviction operation was successful:
-Phase 1: Pre-Eviction. Actions to detect and identify APT activity and prepare the network for eviction. Note: for the purposes of this guidance, a network is defined as any computer network with hosts that share either a logical trust or any account credentials with affected versions of SolarWinds Orion.
-Phase 2: Eviction. Actions to remove the APT actor from on-premises and cloud environments. This phase includes rebuilding devices and systems.
-Phase 3: Post-Eviction. Actions to ensure eviction was successful and the network has good cyber posture
CISA warned that each phase and related steps are necessary to completely eradicate the adversary from the network.
“By taking steps to evict this adversary from compromised on-premises and cloud environments, agencies will position themselves for long-term actions to build more secure, resilient networks,” CISA said.