Root out the Solarwinds attacker

This is my response to Genera Petraeus’ post on LinkedIn about SolarWinds hacking and its cleaning process

Cleaning cyber-attack often involves:

  1. Stop the attack from spreading and remove the malwares.
  2. Assess the damage and remedies.
  3. Investigate the root cause and scope
  4. Put in measures to prevent next attack.

Microsoft and FireEye has done the first step, while the agencies are doing the step 2. Step 3 is ongoing and probably will take years, which will leads to the question of when step 4 can and how to be enacted. This attack is especially challenge because the attackers has done everything they can to cover their tracks and to plan for long term stay, so the effort to completely root out the planted malwares and accurately assess the damage may never be possible. This will also makes the effort to prevent future attack difficult if possible at all.  The best effort now should be building a firewall between the data and attackers so no further damage can be done. That is the product we spend last 5 years to build and ready to go.

Source:  Microsoft, FireEye