The recent disclosure of the SolarWinds Orion supply chain attack is just the latest widespread vulnerability that has targeted clients across the globe. This issue is still in the early stages of analysis by the cybersecurity community, and RSM is actively monitoring the situation and providing updated information on our War Room blog (https://warroom.rsmus.com/solarwinds-orion-supply-chain-attack/).
In an effort to address this developing situation, we have created a multi-tiered approach to provide some level of comfort to clients about their potential exposure.
Tier 1 – Preliminary Analysis
We will perform a triage analysis of key points of entry to determine if there has been some type of unauthorized activity. This will include searching for known indicators of compromise (IOCs) that are available at the time of our analysis and conducting a review for evidence of post-exploitation activates often found in intrusion investigations. In addition, we will deploy an endpoint detection and response (EDR) tool to help monitor the client’s environment for potential unauthorized or suspicious activity. This tier is designed to provide an initial understanding of whether there are items of concern that should be investigated further. Based on the findings of this preliminary analysis, the client can determine whether to proceed to a more in-depth analysis or pause pending further information.
Tier 2 – Full Forensic Analysis
This effort is designed to help the client determine if there are areas of concern, whether through their own analysis or via RSM’s triage analysis, or if they have an elevated risk profile due to protected or sensitive information which may have been compromised. Our analysis will be designed based on the client’s environment, systems, users and/or data that would be impactful if exposed. If they do not already have an EDR solution in place, we will deploy a tool to help monitor the environment for potential unauthorized or suspicious activity. This analysis will provide the client with a more expansive understanding of whether they had a potential exposure.
Tier 3 – Remediation Support
As part of RSM’s effort to help clients through the challenges of the SolarWinds situation, we have a team ready to assist clients in remediating their environment and to improve the overall security posture. Depending on the client’s environment, this will entail a number of different assessments and remediation efforts.
If you believe you have an issue and want more information, please contact RSM’s Digital Forensics and Incident Response team at DFIR.Team@rsmus.com.