Lesson From SolarWinds Attack: It's Time to Beef Up IAMNIST, CISA Call for Rethinking Security in Wake of Supply Chain Attack
The SolarWinds supply chain attack should prompt federal agencies and others to rethink how they approach security issues - especially identity and access management, according to a breakdown of the attack presented this week by the National Institute of Standards and Technology and the U.S. Cybersecurity and Infrastructure Security Agency.
At NIST's Information Security and Privacy Advisory Board meeting, Jay Gazlay, a technical strategist with CISA who has been examining the attack since it was first disclosed in December 2020, presented an analysis of what the agency has learned about the attack to date. That included a detailed timeline of how the hackers implanted a backdoor in a software update for SolarWind's Orion network monitoring platform. The update with the backdoor was eventually installed by about 18,000 of the company's customers.
"Our takeaway from this attack is that identity is everything now."
— Jay Gazlay, technical strategist with CISA
In follow-on attacks, the hackers further compromised nine federal agencies, including the Homeland Security and Commerce departments, as well as 100 private companies, federal investigators say. A Russian-based hacking group waged what appears to have been a cyberespionage campaign, investigators say (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).
Identity Is Everything
A key takeaway from the NIST analysis, Gazlay said, is that organizations need to rethink their identity and access management efforts because the attackers were able to compromise tokens and hide their presence.
"Our takeaway from this attack is that identity is everything now," Gazlay said. "We can talk about our network defenses. We can talk about the importance of firewalls and network segmentation. But really, identity has become the boundary, and we need to start readdressing our infrastructures in that matter."
Gazlay also noted that the issue of IAM encompasses on-premises systems as well as those in the cloud.
"We trust identities, both in the cloud and on-premises, and we trusted federated networks and assertions far too much," Gazlay said.
Hackers Gained Admin Credentials
In an analysis of how the backdoor used by the SolarWinds hackers worked, Gazlay noted that once the malware was installed as part of the Orion update, the attackers gained domain administrative credentials for Active Directory, which could lead to full identity compromise for on-premises networks and infrastructure.
And if SolarWind's Orion platform was used in conjunction with Amazon Web Services, the attackers using the backdoor could gain near root access to the victim's AWS Simple Storage Service infrastructure, Gazlay said.
"That's a deep and wide compromised base and that would have allowed the threat actor quite a few different opportunities to make choices [concerning] their targets," Gazlay said.
Many hackers are now focusing on compromising identities as a way to open the door to accessing many more systems, Gazlay said.
"They're going after the identities that give them access and can lead to a much broader campaign," Gazlay noted. "And that makes TrustStore and identity management compromises much more impactful - and frankly - a higher target. As we move into a cloud infrastructure where all that matters is the assertion that you are who you say you are in order to get access to cloud infrastructures, this then becomes even more pernicious."
Federal agencies and others can take several steps to shore up identity and access management, Gazlay said.
For instance, the default security settings that ship with Microsoft Office 365, which many federal agencies use, are no longer sufficient to detect or deter the type of hacking campaign conducted by the SolarWinds attackers. IT and security teams need to rethink the settings to ensure they can catch potential anomalies.
"You cannot see 'Message Read by Owner' in Exchange, which is the only way to detect exfiltration using Graph API without having some specific configuration options in Azure AD," Gazlay said. "You're not going to see the authentication issues as well."
Organizations should also make sure that external firewalls are configured to ensure that there are no anomalies in network traffic following both in and out of the network, and to use certain tools that Microsoft offers to make sure email traffic is being authenticated.
Gazlay also noted that organizations should look to incorporate recommendations from NIST's National Checklist Program Repository as a blueprint for responding to these types of threats as well as a way to share information about possible attacks.
Bryan Orme, principal and partner at GuidePoint Security, a consulting firm in Herndon, Virginia, says improving IAM is particularly important as more data and applications shift to the cloud.
"With work-from-home continuing for the foreseeable future, most organizations have accelerated cloud migrations, drawing cloud security to the forefront as well," Orme says. "Moving forward in a post-SolarWinds reality, a strong IAM strategy for both on-premises and cloud-based assets is reinforced as a foundational element of a strong security posture."
Details in SolarWinds' Annual Report
On Monday, SolarWinds filed its annual report with the Securities and Exchange Commission, noting that it has incurred about $3.5 million in expenses through the end of December 2020 due to the attack.
"We expect to incur significant legal and other professional services costs and expenses associated with the cyber incident in future periods," the report states.
"We expect to recognize these expenses as services are received. Costs related to the cyber incident that will be incurred in future periods will include increased expenses associated with ongoing and any new claims, investigations and inquiries, as well as increased expenses and capital investments related to our 'secure by design' initiatives, increased customer support activities and other related matters."