If you use the recently compromised SolarWinds Orion monitoring products, you are already reviewing your infrastructure and possibly blocking network access to the servers in your domain. For those of you who do not use the SolarWinds software, this is an opportunity to review your own processes and determine whether you would have detected the compromised code and backdoors.
The instructions for mitigating the SolarWinds compromise, provided by the US Cybersecurity and Infrastructure Security Agency (CISA), are a good example of the process required to identify and remove sophisticated advanced persistent threats (APTs), even those executed by nation-states. If you can perform these steps, then you’re in a good position to respond properly if the need arises.
Create a forensic image
First, determine if you could forensically image all suspected devices in your network. Forensic imaging creates an exact copy (including the empty space) of a server’s or workstation’s hard drive. Access Data FTK Imager is one such product that allows you to take a complete backup of a system to deem whether it’s forensically sound. It generates hash reports for regular files and disk images to ensure that you have an exact copy of the drive.