CSBS Issue Talking Points - March 2021

• What risk mitigation actions has the bank taken, or is planning to take, in order to address risk identified through their risk assessment? Are these actions consistent with the referenced threat information sources cited below? • Because the Orion compromise is not the only infection vector, is management focused on defense-in-depth and layered security? • If you discontinued use of SolarWinds, what mitigating control or alternative solution have you implemented? • Have the results of the risk assessment and any ensuing remediation actions been discussed with the board of directors and senior management ? Key Takeaways • This is a patient, well-resourced and focused adversary that has sustained long duration activity on victim networks. • CISA is investigating other access vectors in addition to the SolarWinds Orion supply chain compromise. • Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions. • Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans. Resources that may assist with assessment and remediation efforts: • CISA Alert AA20-352A, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure and Private Sector Organizations. • CISA released AA21-008A Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, a companion alert to AA20-352A. • CISA Emergency Directive 21-01. CISA’s Emergency Directive is binding on U.S. Government agencies. Financial institutions are not required to follow this directive but may consider its recommendations as part of their risk-based remediation approach. • NSA Cybersecurity Advisory Detecting Abuse of Authentication Mechanisms • SolarWinds Security Advisory • SolarWinds Secure Configuration for the Orion Platform Version 2020.2.1 • FireEye Threat Research Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor. • FireEye GitHub Countermeasures. • Microsoft: Customer Guidance on Recent Nation-State Cyber Attacks • Microsoft: Important Steps for Customers to Protect Themselves from Recent Nation-State Attacks • Microsoft Ensuring Customers are Protected from Solorgate SME Contact: Mary Beth Quist, Sr. Vice President Bank Supervision, 202-728-5722, mbquist@csbs.org Date Updated: 1/15/2021

FOR STATE REGULATOR USE ONLY