Bottom Line: Cyberattacks enter a new era of lethal impact when threat actors are sophisticated enough to compromise SolarWind’s software supply chain with infected binary code while mimicking legitimate protocol traffic to avoid detection.
To gain greater insights into the SolarWinds breach, its implications on cybersecurity strategy in the future and what steps enterprises need to take today, I contacted Andy Smith, Cybersecurity Evangelist and an industry expert with Centrify. He explained the attack’s specifics, referencing the Cybersecurity and Infrastructure Security Agency’s (CISA) Alert AA20-352A, which details how sophisticated the attack is, citing the sobering fact that it is unknown if all attack vectors are identified. Active since at least March 2020, the advanced persistent threat (APT) has been identified by FireEye, SolarWinds, Microsoft and several other cybersecurity firms.
SolarWinds’ Security Advisory lists 18 known products that have been affected by the attack, including their Application Centric Monitor (ACM), Server Configuration Monitor (SCM) and Network Performance Monitor (NPM). Earlier this month, SolarWinds says the malicious code may have been delivered to nearly 18,000 customers.
Insights Into The SolarWinds Hack
Interested in dissecting the hack from a cybersecurity standpoint, I spent some time investigating the SolarWinds hack with Andy, a leading authority on Identity and Access Management (IAM), particularly around securing and managing privileged access credentials. The following is my interview with Andy:
Louis: There have been large-scale breaches before; why is this particular cybersecurity attack getting so much attention? Why is it so enormous?
Andy: What’s interesting about this particular attack is a couple of things. It follows a very traditional cyber-attack kill chain as many attacks, but the start of this one is impressive. Usually, there’s a vulnerability that allows threat actors to get into the network. What’s unique about this is the initial vulnerability is in vendor software, so it’s often now being referred to as a supply chain hack because the vulnerability was embedded as code.
The exposure to federal agencies and the attackers’ focus going after emails is especially troubling. It appears like it’s a nation/state-related incident that always heightens the exposure and is another reason it’s so large in scale. Some tools that FireEye uses for Red Team evaluation of people’s networks got exposed, so now those tools are in the hands of threat actors to do nefarious activities with them.
That’s one aspect of this hack that makes it remarkable, as sophisticated tools from FireEye are in nefarious actors’ hands. That’s one reason it’s enormous: you just gave something that was being used for good to threat actors intent on gathering as much intelligence across a supply chain of customers as they can.
Louis: How are the cyber-attack methods used in the SolarWinds hack particularly unique?
Andy: It follows a very common cyber-attack kill chain we’ve seen at Centrify for years. We ran the Anatomy of a Hack webinar earlier this year and it always starts with that initial vulnerability and getting in. What’s unique was this case is that the initial vulnerability wasn’t just, “Hey, I phished somebody’s password and logged in.” It was a vulnerability in the software build process for SolarWinds. So that’s a bit unique about how that initial vulnerability was there.
Still, once the attackers are in, the breach starts to look very traditional in the sense that they settle in, sit there for a while, scan the network, move laterally in that environment and hunt for privileged access.
All those things happened precisely by the people who investigated and then you find the data you’re going after. In some cases, it’s been software, as is the case with FireEye, or email servers, as is the case with government agencies. Attackers are patient and they wait to extract the data and then cover their tracks.
Louis: You and many others are an advocate of a layered approach to security. What is that and how would it have helped in the SolarWinds case?
Andy: For me, the biggest takeaway of this hack is that a layered approach to security is the way to go in the future in light of this hack’s sophistication. There’s no silver bullet to stop a hack this sophisticated, though. No one strategy or approach could have prevented it.
When you investigate this attack, it is pretty sophisticated and has multiple vectors to it and one has to assume there will be certain threat vectors compromised. That initial vulnerability will be there and you need those layers of security to prevent it, so you need to look at preventive controls, predictive controls and detective controls. All those need to be combined into a single, unified strategy.
For every organization looking at this hack and considering how future attacks of this sophistication will impact them, it’s a good idea to use this event as a way to get your board and executives thinking about a more resilient, hardened multilayer approach and not relying on a single solution to protect you. I see organizations using this opportunity to evaluate how a layered approach will work for their projects when it might not have been feasible to fund in the past.
It’s an extreme attack that shows how vulnerable the exposures are out there. It’s a good time to shore up your defenses. The Federal Information Processing Standard 200, or FIPS 200, the standard offers excellent guidance, including discussing the different types of layers and controls available today. Minimum Security Requirements for Federal Information and Information Systems defines the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs.
If you dig into the National Institute of Standards and Technology (NIST) Special Publication 800-53, that gets a little deeper into the particular cyber controls you have in place. There is guidance available. You’re not out there on your own about what the layers should be and you can evaluate yourself against these standards.
Louis: What are some layers specific to privileged access management? Are there any particular PAM best practices that enterprises should be thinking about right now?
Andy: Absolutely and I’ll start with Privileged Access Management (PAM), which is one of the core layers. Investigations into this hack found specific evidence where they got in and created new accounts with elevated privileges to access data. It’s all over this.
We typically state the Forrester stat that 80% of hacks involve compromised privileged access. This SolarWinds example is no exception: that’s what happened.
Additional points to keep in mind include the following:
- Before our interview, we talked about how vulnerable passwords are and how using the company’s name, followed by 123, is not a good idea – that ties into going pro with preventive controls rather than just relying on a password. That’s a perfect example of what not to do. Organizations can design preventive privileged access controls and detective controls and both are typically provided in Privileged Access Management solutions. Best practices call for multiple preventive controls – strong passwords, multi-factor authentication, password rotation, maybe use a federated credential and have privileged users log in as themselves for better auditing and accountability.
- Rethink enterprise cybersecurity from a preventive control perspective that includes least privileged access. Simplistic preventive controls aren’t enough, as the sophistication of this hack shows. Preventive controls need to be strengthened with least privilege. The account creation process needs to provide as little privilege as possible to the server level. Workflows to request additional access need to be used to provide resources for a predefined period. If these types of controls had been in place, malicious code disguised in executable files and dynamic linked libraries would not have traveled as far down the supply chain.
- Lastly, even if threat actors get through or you don’t have enough of those layers in place, you want detective controls. PAM solutions should have audit capabilities that watch what privileged users do. In the financial markets, there are things like the “four-eye principle,” where people are watching what other people are doing and so you can watch a privileged session in real-time and verify what users are doing. Of course, all that’s audited in the recording. You can send that information off to a SIEM to be correlated with other data to look for compromise indicators. Recent articles I’ve read pointed out the attackers were in the FireEye network for months before being detected. FireEye detected that they had been attacked thanks to detective controls.
Louis: The SolarWinds attack seems to have rejuvenated the case for Zero Trust. How can companies adopt a Zero Trust mindset and take stock of their security layers today?
Andy: Definitely and I see organizations accelerate their Zero Trust initiatives today. Organizations can get started on their Zero Trust frameworks by reviewing the FIPS and NIST publications. Review the layers of your security stack with a Zero Trust mindset. Don’t configure your network to trust someone just because they gained access. That’s how these attackers got in, laying in the network for plenty of time. Zero Trust says, “Don’t trust that authenticated network access. That could still be a compromised credential or a threat actor,” and this is a perfect example of that. This is why Zero Trust is critical: just because they’re on your network doesn’t mean they’re trustworthy.
The concept of least privilege, of authenticating at each step, introduces segmentation. When I give access, it’s just to that machine or that service that I need access to and not broad access across the network a network segment. That’s how you prevent that lateral movement. A Zero Trust mindset that Zero Trust philosophy of security is critical in this case.
Louis: What do you think will happen from the perspective of micro-segmentation and how does this hack change the balance of security relative to ongoing operations of a business?
Andy: I think it’s another evidence of our current breach culture and brings forth more awareness. More and more, events like this will make cybersecurity a higher priority in an organization – one essential to excel at to keep a business operating. So from that perspective, it is a business enabler.
If you do it right, you can start to do things like moving to the cloud and start to do things that make you more agile. The more we can think of security as a business enabler instead of a business blocker, the better we are. Taking the lessons learned from this hack and using them to create a more resilient, hardened organization is a start.
80% of hacks involve the use of compromised privileged credentials and this one is no exception. An important layer of control is Privileged Access Management (PAM) solutions such as Centrify, which typically involve predictive, preventive and detective controls.
In the end, it is security layers and vigilance that make the difference in minimizing the impact of a breach. NIST’s guidance can be constructive in cybersecurity planning, which can also be informed by Zero Trust’s principles. Remember, it’s not a question of if you will be hacked. It’s a matter of when and what you can do to limit the impact through layers.