SolarWinds - A Lesson in Layers of Security
There is a lot for security professionals to learn from the recent SolarWinds hack. I believe one of the primary messages is that you can’t keep attackers out 100% of the time, and it takes multiple layers of security to protect yourself.
There is no one security solution or vendor that alone can prevent a well-funded and sophisticated adversary from infiltrating your network. However, layers of security covering different domains and a combination of predictive, preventive, and detective controls is your best defense.
As laid out in this Microsoft blog about the details of this attack, it is a classic example of the cyber-attack kill chain. The blog details that threat actors used this combination of techniques as part of their toolkit.
- An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials.
- An intruder using administrative permissions acquired through an on-premise compromise to gain access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
- Anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premise resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization.
- Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application.
At Centrify, we think it is important to analyze real-life attacks with the goals of learning and improving. So what can we learn from this particular attack? There is no silver bullet, there is no one solution, but it requires vigilance and layers of security.
The necessary layers can be found in the Federal Information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems," which specifies the minimum security controls for Federal information systems and the processes by which risk-based selection of security controls occurs. The detailed catalog of minimum security controls is found in NIST SP 800-53.
FIPS 200 identifies 17 broad control families that all are different layers. Network and perimeter controls must be used to verify who is accessing your network, and to segment, access to limit lateral movement. Device and endpoint controls – both preventive and detective – are necessary to not only protect the local resource but also to prevent penetration into other machines on the network. Encryption of data in transit and at rest is an absolute must, and of course, identity and access management controls are critical for network and application security.
Three PAM Controls
We have cited over and over that 80% of hacks involve the use of compromised privileged credentials, and this one is no exception. An important layer of control provided by Delinea is Privileged Access Management (PAM). PAM solutions typically involve predictive, preventive, and detective controls.
With Centrify, preventive controls not only help protect shared privileged accounts by vaulting away and rotating credentials, but we also help reduce the attack surface by allowing users to login as themselves, reducing overall risk while simultaneously increasing accountability. Preventive controls like authentication, including Multi-Factor Authentication (MFA), can help protect against compromised credentials. While extremely effective, even MFA is not foolproof and not enough on its own, as evidenced in this article in Data Breach Today stating, “the hacking group used a Secret key that it previously stole to generate a cookie to bypass the Duo multifactor authentication protecting access to the Outlook web app.”
In addition, the concept of least privilege is an important preventive control and should be applied to limit the impact of compromise including workflows for proper approvals to elevate privilege. Privileged access should be given just-in-time and just enough to get the job done. An important aspect of “just-enough” is to ONLY allow access to the target systems necessary. Solutions like Delinea Privilege Manager are able to provide these granular permissions that segment access to specific machines rather than segments of the network. The result is a limited lateral movement by attackers via micro-segmentation.
For PAM, detective controls involve detailed audit and log data that can be evaluated by humans or third parties. Many financial institutions require the four-eye principle for privileged session monitoring. In addition, this audit and log data are often sent to SIEM tools to correlate with other activities looking for signs of compromise.
Predictive PAM controls have emerged recently with the advent of User and Entity Behavior Analytics (UEBA) which is now built into many tools and used to programmatically detect anomalous activities and alerts.
All the above controls are important layers to help prevent attacks. In cases of sophisticated attacks like SolarWinds, many of the preventive controls can be bypassed because signing certificates were obtained and authentication controls were subverted. Modern, predictive controls could possibly have been beneficial in quickly detecting the SolarWinds breach. When attackers appear as normal users due to compromised credentials, then detecting anomalous activity might have been an early indicator of compromise.
In the end, it is the layers and vigilance that make the difference. Guidance given by NIST can be very helpful in your security planning as well as the principles of Zero Trust. Remember, it’s not a question of if you will be hacked, it’s a matter of when and what you can do to limit the impact through layers.