Top Threats

CISA AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise

  • 1.  CISA AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise

    Posted May 17, 2021 01:49:00 AM
      |   view attached
    Hi All,

    CISA has published AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise

    CISA has provided this guidance to federal agencies with networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity-CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations labels these as Category 3 agencies. This guidance is intended to support Category 3 agencies in crafting their eviction plans in accordance with ED 21-01: Supplemental Direction Version 4 placeholder]. Note: agencies should refer to CISA Alert AA20-352A for guidance on determining if they are Category 3. CISA is aware of other initial access vectors; agencies should not assume they are not compromised by this APT actor solely because they have never used affected versions of SolarWinds Orion. Those agencies should investigate to confirm they have not observed related threat actor tactics, techniques, and procedures (TTPs). CISA recommends any agency that detects related activity review this guidance as well as CISA Alert AA20-352A, and contact CISA for further assistance.

    Although this guidance is tailored to federal agencies, CISA encourages critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review and apply it, as appropriate.

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------