As more details about the SolarWinds supply chain attack have rolled in, CISA (Cybersecurity and Infrastructure Security Agency), has advised SolarWinds customers to assume they are compromised and to take their SolarWinds stack offline. Additional “known malicious” file hashes are being shared and this may continue as victims come forward with forensics and findings.

Based on the industry, as well as risk tolerance and budget, the safe advice is to decommission SolarWinds permanently and to look at another solution like ManageEngine or Volta’s own in-house product, Multimeter. If this is not an option, the file hashes for the malicious files should be blacklisted across all compensating controls and IPS/Snort signatures should be deployed in any/all intrusion prevention system technology. We would also recommend segmenting the network so the SolarWinds server(s) are only allowed to reach the bare minimum of the IP address space necessary to do their job. CISA has a complete list of recommendations here: https://cyber.dhs.gov/ed/21-01/.