The Solarwinds incident is breathtaking in its scope, but it was also such a huge and delicate house of cards. It will take a long time to clear every organization, but really, one flagged bad device login brought so much infrastructure crashing down.

This really lends credence to the “adversaries only have to succeed once and defenders have to succeed all the time” mantra being bunk. One defender was successful once at a point in basic defense, and a bite got taken out of a very costly instrusion into multiple organizations.

I don’t know how much the adversary spent on this operation, but I would speculate that they have already recouped that value in intelligence. Plus now there is the cost to businesses who have to respond/remediate. Vastly successful op from the adversary perspective.

That goes both ways, you know. They burned a ton of TTPs.

No doubt. I’m still speculating it’s a net win for the attackers.

🤷🏻‍♀️🍸 I choose to take a glass half full on this one, because nobody else is. Honestly, the IR work on this is monotonous, but not really hard.