In wake of one of the largest breaches in U.S. history, SolarWinds is addressing how its privileged access is separated between its IT infrastructure and DevOps.
The hack of SolarWinds was a blend of compromised email and software interference done without a trace. Federal agencies say the attackers were likely Russian; Alex Stamos, former Facebook and Yahoo security chief, and current professor at Stanford University says it was executed by the Foreign Intelligence Service of the Russian Federation (SVR), during a webcast Thursday.
The attack hit hundreds of organizations, including the U.S. Department fo Energy and multiple other U.S. government agencies. The compromised software is used by 18,000 of the world's largest infrastructure sites, and according to security company Dragos, hackers accessed the systems of multiple equipment manufacturers, including some with direct access to turbine control software.
Experts say fallout from the SolarWinds attack could continue for years, as more companies determine they were compromised. The North American Electric Reliability Corporation's Electricity Information Sharing and Analysis Center has been engaging with industry and government partners to disseminate information and mitigation steps.
As part of its remediation efforts, SolarWinds appointed Stamos and Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA), as independent consultants for SolarWinds' recovery.
"Finding the SVR requires a very deep hunting capability," which most companies likely don't have, said Stamos. "If you expect that somebody every day is going to come in, get their coffee, and they're going to spend the entire day trying to think about how to break into your company" for months on end then they are going to get in, said Stamos. It's going to require companies to defend themselves differently.
Compared to other Russian intelligence agencies, the SVR's main goal is intelligence gathering that stops short of destruction, said Stamos. The SolarWinds cyberattack is an example of this type of espionage.
Supply chain attacks are historically difficult to detect, let alone avoid. However, the scope of the SolarWinds hack left the subtle fingerprints of SVR everywhere, forcing vendors to reevaluate how they build data and how companies regulate privileges.
As part of recovery and response, SolarWinds is undergoing initiatives, including:
- Adopting multiple software building pipelines using different administrative domains and controls
- Using just-in-time access for multiple environments
- Evolving security recommendations to accommodate customer environments, not just SolarWinds products
- Eventually the company wants to build a Patch Tuesday-like cadence for security updates
SolarWinds attackers leveraged the company's Office 365 accounts to access other accounts within the broader Office 365 environment, SolarWinds CEO Sudhakar Ramakrishna told The Wall Street Journal Tuesday. Microsoft and SolarWinds are unsure if hackers used an unknown Office 365 vulnerability, or just a compromised email account.
Ramakrishna, who began his tenure as CEO on Jan. 4, is emphasizing the role of humans in security and overhauling the software development cycle. "We felt it is not sufficient to simply use the principles [and] practices that we are familiar with," and instead make the reconstruction a community effort," said Ramakrishna, during the webcast.
Based on forensic analysis by CrowdStrike and KPMG and disclosures by other companies impacted by the same Russian activity, SolarWinds identified industrywide shortcomings that increased the attack surface, including:
Halfway cloud adoption
Companies are running their Azure Active Directory in a hybrid mode, connected to on-premise domain servers hosting multiple domains. "In some cases, you have to weigh trust here," said Stamos.
The halfway move exposes companies to vulnerabilities in the cloud-based Azure Active Directory and in the existing domain servers.
"That cloud of data providers is that one source of truth," said Stamos. For SolarWinds, there was an escalation path from on-premise to cloud-based persistence. To avoid unintentional vulnerabilities, accelerate the transition to Cloud Identity.
Companies have to understand what levels of privileges their providers have into their systems. Cloud service providers need high-levels of privileges but customers then neglect to deprovision them as soon as possible after their initial work is done.
Aggressive use of authorization techniques:
Multifactor authentication (MFA) is a basic mechanism for preventing privilege escalation. All users should have risk-based authentication, while administrators have conditional access and hardware token MFA. With the exception of one or two "break glass accounts," companies don't need "to have dozens and dozens of people with continuous capability to have effectively global administrator access to your Azure AD tenant," said Stamos.
Permission-based systems also need deprovisioning upon completed workloads because SVR actors favor these accounts. "Once they have access to those accounts, if you're not doing this kind of just-in-time provisioning, if you're not doing conditional access, then they have the run of the place," said Stamos.
SolarWinds is building its access around least privileged access. It's "flipping some of the old paradigms on their head," reducing administrative accounts, and adopting just-in-time permissions, said Ramakrishna. This access overhaul is taking place in SolarWinds' infrastructure and in its software building systems.
One of the first changes security teams need to make is how they understand adversarial capabilities — always assume the perimeter has already been breached. The initial intrusion will always happen, so what can the SOC do to prevent further damage?
Stamos recommends using the MITRE ATT&CK kill chain to assess the solutions security teams have in place for each step, including monitoring, alerts, log collection. Internal teams should be able to handle 98% of activity, said Stamos, while the remaining 2% is for outside assistance, which also establishes parameters for vendors.