CISA DEFEND TODAY SECURE TOMORROW cisagov central cisagov Linkedincomcompanycisagov CISAgov cyber uscertgov FacebookcomCISA cisagov which CISA will update as information becomes ID: 853148
Download Pdf The PPT/PDF document "Place Title Here" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 Place Title Here CISA | DEFEND TODAY,
Place Title Here CISA | DEFEND TODAY, SECURE TOMORROW cisa.gov central @cisa.gov Linkedin.com/company/cisagov @CISAgov | @cyber | @uscert_gov Facebook.com/CISA @cisagov , which CISA will update as information becomes available. THE RISK IN DETAIL A sophisticated APT actor inserted malicious code into certain trusted SolarWinds Orion software updates, which were then made available to customers as legitimate softwareupdates. Once these updates were applied, the APT actor gained access to customer network environments. The immediate danger is that the APT actor can use this access to create new accounts, evade common means of detection, obtain CISA is also investigating incidentsnot connected with SolarWindswhere abuse of Security Assertion Markup Language (SAML) authenticationis present. This tivityconsistent with the APT actor’sbehavior. CISA strongly recommends that all organizations investigate , and, as applicable, remediate (potentially share information with those assisting in this massive response effort. ACTIONS FOR TODAY 1. Determine whether your organization is affected. Consult with your information security teamto determinef your organization hasor has ever hadone of the affected versions of SolarWinds Orion installedand initiate incident responseIf you do not have inhouse expertise, seek thirdparty support. Keep in mind that your organization’s managed service providers may have been compromised as part of these events, which could have implications for your operations. 2. If affected, make incident response and remediation your top priority. Leadership—working with legal, financial, and operations personnel—should empowerinformation security staff to take appropriate action based on their expertise and to collaborate with internal and external partners. 3. Allocate sufficient resources. Provide executive support and empower information security staffor thirdparty supportto thoroughly investigate your IT environmentfor adversary activity. Consider engaging thirdparty support ollowing incident response, your organization may need to rebuild all network assets monitored by SolarWinds Orion; this will be a resource-intensive,highly complex,andlengthy undertaking. 4. Seek further guidance. Refer to the related CISA AlertEmergency Directiveand National Security Agency advisory , as well as future guidance ocisa.gov/supplychain-compromise . 5. Maintain enhanced during the incident response and remediation processes. CISA’S ROLE AS THE NATION’S RISK ADVISOR CISA collaborates with industry and government partners to help organizations understand and counter critical infrastructure and cybersecurity risks associated with the malicious activities of nationstate and nonstate actors. CISA provides recommendations to help partners stay vigilant and protected against potential foreign influence operations. CISA INSIGHTS December 2020 Place Title Here CISA | DEFEND TODAY, SECURE TOMORROW cisa.gov central @cisa.gov Linkedin.com/company/cisagov @CISAgov | @cyber | @uscert_gov Facebook.com/CISA @cisagov What Every Leader Needs to Know AboutOngoing APT Cyber Activity THE THREATAND HOW TO THINK ABOUT ITCISA is tracking a significant cyber incidentimpacting enterprise networks across federal, state, andlocalgovernments, as well as critical infrastructure entities and private sector organizationsn advanced persistent threat (APT) actor compromised the SolarWinds Orion software supply chainand is abusing commonly used authentication mechanismsIf left unchecked, his threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at riskCISA urges organizations to prioritize measures to identify and address this threat. For details, review therelatedCISA Alert , which CISA will update as information becomes available. THE RISK IN DETAIL A sophisticated APT actor inserted malicious code into certain trusted SolarWinds Orion software updates, which were then made available to customers as legitimate softwareupdates. Once these updates were applied, the APT actor gained access to customer network environments. The immediate danger is that the APT actor can use this access to create new accounts, evade common means of detection, obtain sensitive data, move across a network unnoticed, and establish additional persistence mechanisms. The APT actor has only targeted some organizations with further network exploitation. However, all organizations that installed the compromised updates remain at riskwithout corrective action. CISA is also investigating incidentsnot connected with SolarWindswhere abuse of Security Assertion Markup Language (SAML) authenticationis present. This tivityconsistent with the APT actor’sbehavior. CISA strongly recommends that all organizations investigate , and, as applicable, remediate (potentially rebuild), and share information with those assisting in this massive response effort. ACTIONS FOR TODAY Determine whether youorganizationffected.determineverffectedersions of Solrioninstallednitiatencidentesponseousexpertise,eekhirdKeepn mindourrganization’sanagedervicerovidersbeenompromisedremediation your Leadersfinancial, andperationspersonnelempowerppropriatebasedon theirxpertisecollaboratewithpartnersProvide executive support andempower informationecuritythirdinvestigate your Invironmentfor adversaryctivity.Considerengaginghirdwith experience eradicating enterprise networks.SolarWindsOrion;ntensive,highly complex, lengthyertaking.Seekurtheruidance.elatedEmergencyirectiveNationalcurityAgency advisoryellfutureuidancecisa.gov/supplyhainMaintain duringncidentresponseemediation processes.CISA’S ROLE AS THE NATION’S RISK ADVISORCISA collaborates with industry and government partners to help organizations understand and counter critical infrastructure and cybersecurity risks associated with the malicious activities of nationstate and nonstate actors. CISA provides recommendations to help partners stay vigilant and protected against potential foreign influence operations. CISA INSIGHTS December 2020 Place Title Here CISA | DEFEND TODAY, SECURE TOMORROW cisa.gov central @cisa.gov Linkedin.com/company/cisagov @CISAgov | @cyber | @uscert_gov Facebook.com/CISA @cisagov What Every Leader Needs to Know AboutOngoing APT Cyber Activity THE THREATAND HOW TO THINK ABOUT ITCISA is tracking a significant cyber incidentimpacting enterprise networks across federal, state, andlocalgovernments, as well as critical infrastructure entities and private sector organizationsn advanced persistent threat (APT) actor compromised the SolarWinds Orion software supply chainand is abusing commonly used authentication mechanismsIf left unchecked, his threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at riskCISA urges organizations to prioritize measures to identify and address this threat. For details, review therelatedCISA Alert , which CISA will update as information becomes available. THE RISK IN DETAIL A sophisticated APT actor inserted malicious code into certain trusted SolarWinds Orion software updates, which were then made available to customers as legitimate softwareupdates. Once these updates were applied, the APT actor gained access to customer network environments. The immediate danger is that the APT actor can use this access to create new accounts, evade common means of detection, obtain sensitive data, move across a network unnoticed, and establish additional persistence mechanisms. The APT actor has only targeted some organizations with further network exploitation. However, all organizations that installed the compromised updates remain at riskwithout corrective action. CISA is also investigating incidentsnot connected with SolarWindswhere abuse of Security Assertion Markup Language (SAML) authenticationis present. This tivityconsistent with the APT actor’sbehavior. CISA strongly recommends that all organizations investigate , and, as applicable, remediate (potentially rebuild), and share information with those assisting in this massive response effort. ACTIONS FOR TODAY Determinewhetheryouorganizationffected.information security determineorganization has—orverffectedersions of Solrioninstallednitiatencidentesponseyou do xpertise,eekhirdKeepn mindourrganization’sanagedervicerovidersbeenompromisedLeadersfinancial, andperationspersonnelempowerppropriatebasedon theirxpertisecollaboratewithpartnersexecutivesupport andempowerinformationecuritythirdinvestigateyour Invironmentadversaryctivity.Considerengaginghirdwith experienceeradicating enterprisenetworks.organization may SolarWindsOrion;tensive,highly complex, lengthyertaking.Seekurtheruidance.Refer toelatedEmergencyirectiveNationalcurityellfutureuidancecisa.gov/supplyainMaintainduringncidentresponseemediation processes.CISA’S ROLE AS THE NATION’S RISK ADVISORCISA collaborates with industry and government partners to help organizations understand and counter critical infrastructure and cybersecurity risks associated with the malicious activities of nationstate and nonstate actors. CISA provides recommendations to help partners stay vigilant and protected against potential foreign influence operations. CISA INSIGHTS December 2020