Top lesson from SolarWinds attack: Rethink identity security

Among the many lessons from the unprecedented SolarWinds cyber attack, there’s one that most companies still haven’t quite grasped: Identity infrastructure itself is a prime target for hackers.

That’s according to Gartner’s Peter Firstbrook, who shared his view on the biggest lessons learned about the SolarWinds Orion breach at the research firm’s Security & Risk Management Summit — Americas virtual conference this week.

The SolarWinds attack—which is nearing the one-year anniversary of its disclosure—has served as a wakeup call for the industry due to its scope, sophistication, and method of delivery. The attackers compromised the software supply chain by inserting malicious code into the SolarWinds Orion network monitoring application, which was then distributed to as an update to an estimated 18,000 customers.

The breach went long undetected. The attackers, who’ve been linked to Russian intelligence by U.S. authorities, are believed to have had access for nine months to “some of the most sophisticated networks in the world,” including cybersecurity firm FireEye, Microsoft, and the U.S. Treasury Department, said Firstbrook, a research vice president and analyst at Gartner. Other impacted federal agencies included the Departments of Defense, State, Commerce, and Homeland Security.

Firstbrook spoke about the SolarWinds attack, first disclosed on Dec. 13, 2020, by FireEye, during two talks at the Gartner summit this week. The identity security implications of the attack should be top of mind for businesses, he said during the sessions, which included a Q&A session with reporters.

Focus on identity

When asked by VentureBeat about his biggest takeaway from the SolarWinds attack, Firstbrook said the incident demonstrated that “the identity infrastructure is a target.”

“People need to recognize that, and they don’t,” he said. “That’s my biggest message to people: You’ve spent a lot of money on identity, but it’s mostly how to let the good guys in. You’ve really got to spend some money on understanding when that identity infrastructure is compromised, and maintaining that infrastructure.”

Firstbrook pointed to one example where the SolarWinds hackers were able to bypass multi-factor authentication (MFA), which is often cited as one of the most-reliable ways to prevent an account takeover. The hackers did so by stealing a web cookie, he said. This was possible because out-of-date technology was being used and classified as MFA, according to Firstbrook.

“You’ve got to maintain that [identity] infrastructure. You’ve got to know when it’s been compromised, and when somebody has already got your credentials, or is stealing your tokens and presenting them as real,” he said.

Digital identity management is notoriously difficult for enterprises, with many suffering from identity sprawl—including human, machine, and application identities (such as in robotic process automation). A recent study commissioned by identity security vendor One Identity revealed that nearly all organizations—95%—report challenges in digital identity management.

The SolarWinds attackers took advantage of this vulnerability around identity management. During a session with the full Gartner conference on Thursday, Firstbrook said that the attackers were in fact “primarily focused on attacking the identity infrastructure” during the SolarWinds campaign.

Other techniques that were deployed by the attackers included theft of passwords that enabled them to elevate their privileges (known as kerberoasting); theft of SAML certificates to enable identity authentication by cloud services; and creation of new accounts on the Active Directory server, according to Firstbrook.

Moving laterally

Thanks to these successes, the hackers were at one point able to use their presence in the Active Directory environment to jump from the on-premises environment where the SolarWinds server was installed and into the Microsoft Azure cloud, he said.

“Identities are the connective tissue that attackers are using to move laterally and to jump from one domain to another domain,” Firstbrook said.

Identity and access management systems are “clearly a rich target opportunity for attackers,” he said.

Microsoft recently published details on another attack that’s believed to have stemmed from the same Russia-linked attack group, Nobelium, which involved an implant for Active Directory servers, Firstbrook said.

“They were using that implant to infiltrate the Active Directory environment— to create new accounts, to steal tokens, and to be able to move laterally with impunity—because they were an authenticated user within the environment,” he said.

Tom Burt, a corporate vice president at Microsoft, said in a late October blog post that a “wave of Nobelium activities this summer” included attacks on 609 customers. There were nearly 23,000 attacks on those customers between July 1 and Oct. 19, “with a success rate in the low single digits,” Burt said in the post.

Monitoring identity infrastructure

A common question in the wake of the SolarWinds breach, Firstbrook said, is how do you prevent a supply chain attack from impacting your company?

“The reality is, you can’t,” he said.

While companies should perform their due diligence about what software to use, of course, the chances of spotting a malicious implant in another vendor’s software is “extremely low,” Firstbrook said.

What companies can do is be prepared to respond in the event that that happens-and a central part of that is closely monitoring identity infrastructure, he said.

“You want to monitor your identity infrastructure for known attack techniques—and start to think more about your identity infrastructure as being your perimeter,” Firstbrook said.

Source