10 Steps and 2 Hours to Determine if Your Enterprise Endpoints Have Been Compromised by the SolarWinds Vulnerability

By CyFIR   

by Ben Cotton, Founder

If your organization is currently using SolarWinds or potentially other compromised platforms from the same malicious actors and want to know if you are actually breached, follow these steps:
1. Go to the Amazon Marketplace and Create a CyFIR Enterprise instance (25 minutes -- See the instructional videos and information on the linked page.)
2. Download the CyFIR Smart Agent from your newly created server and push the Agent across your enterprise. This timeframe can be variable depending on enterprise size and deployment methodology, but it generally requires less than 15 minutes.
3. Install CyFIR Investigator on your examination workstation. (5 minutes)
4. Import the IOC hash and String xml files
5. Add the entire enterprise to a CyFIR Case. (2 minutes)
6. Conduct an enterprise wide search for the IOCs. Typically this will take less than 15 minutes to search every endpoint in the enterprise that the CyFIR agent is installed on.
7. Review enterprise search results in real-time as they're returned.
8. Preserve memory and hard drive artifacts as required.
9. Remediate as appropriate.
10. Enjoy the rest of your day. The total time to install and know if you have a problem related to this incident when using CyFIR is often less than one or two hours. Your cost is limited to how long you have your CyFIR stack running in AWS, and for larger installations, CyFIR offers a five day free trial (except for AWS server fees). Being able to tell your senior leadership and board that you have a handle on it?  Priceless.