• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Forensics > Investigating SolarWinds Impact

Investigating SolarWinds Impact

December 17, 2020 By Luke Emrich

The recent disclosure of the SolarWinds Orion supply chain attack is just the latest widespread vulnerability that has targeted clients across the globe. This issue is still in the early stages of analysis by the cybersecurity community, and RSM is actively monitoring the situation and providing updated information on our War Room blog (https://warroom.rsmus.com/solarwinds-orion-supply-chain-attack/).

In an effort to address this developing situation, we have created a multi-tiered approach to provide some level of comfort to clients about their potential exposure.

Tier 1 – Preliminary Analysis

We will perform a triage analysis of key points of entry to determine if there has been some type of unauthorized activity. This will include searching for known indicators of compromise (IOCs) that are available at the time of our analysis and conducting a review for evidence of post-exploitation activates often found in intrusion investigations. In addition, we will deploy an endpoint detection and response (EDR) tool to help monitor the client’s environment for potential unauthorized or suspicious activity. This tier is designed to provide an initial understanding of whether there are items of concern that should be investigated further. Based on the findings of this preliminary analysis, the client can determine whether to proceed to a more in-depth analysis or pause pending further information.

Tier 2 – Full Forensic Analysis

This effort is designed to help the client determine if there are areas of concern, whether through their own analysis or via RSM’s triage analysis, or if they have an elevated risk profile due to protected or sensitive information which may have been compromised. Our analysis will be designed based on the client’s environment, systems, users and/or data that would be impactful if exposed. If they do not already have an EDR solution in place, we will deploy a tool to help monitor the environment for potential unauthorized or suspicious activity.  This analysis will provide the client with a more expansive understanding of whether they had a potential exposure.

Tier 3 – Remediation Support

As part of RSM’s effort to help clients through the challenges of the SolarWinds situation, we have a team ready to assist clients in remediating their environment and to improve the overall security posture.  Depending on the client’s environment, this will entail a number of different assessments and remediation efforts.

If you believe you have an issue and want more information, please contact RSM’s Digital Forensics and Incident Response team at DFIR.Team@rsmus.com.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Luke Emrich

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.