Security News > 2021 > May > CISA: Disconnect Internet for 3-5 Days to Evict SolarWinds Hackers From Network

The United States Cybersecurity and Infrastructure Security Agency has published guidance detailing the steps that organizations affected by the SolarWinds attack should take to ensure they evict the attackers from compromised environments.

Tailored for federal agencies that used affected versions of SolarWinds Orion and which discovered adversary activity within their environments, the newly published analysis report, AR21-134A, details resource-intensive and highly complex steps that will require disconnecting the enterprise network from the internet for three to five days.

"In order to have fully informed senior-level support, CISA recommends that agency senior leadership conduct planning sessions throughout this process to understand the resources needed and any potential disruption in business operations," CISA said.

Critical infrastructure, government organizations, and private sector entities are encouraged to review and apply the guidance, to evict the attackers from the network and strengthen security.

"Conducting each step in this guidance is necessary to fully evict the adversary from Category 3 networks. Failure to perform comprehensive and thorough remediation activity will expose enterprise networks and cloud environments to substantial risk for long-term undetected APT activity, and compromised organizations will risk further loss of sensitive data and erosion of public trust in their networks," CISA notes.

In addition to publishing the guidance, CISA made public Emergency Directive 21-01 Supplemental Direction v4, which was issued in April to all federal agencies affected by the SolarWinds compromise, and which asks agencies to disconnect affected SolarWinds Orion products and perform compromise detection and remediation operations.

News URL

http://feedproxy.google.com/~r/securityweek/~3/25Z108BdBAg/cisa-disconnect-internet-3-5-days-evict-solarwinds-hackers-network