Security firm CrowdStrike revealed “the worst U.S. cyber attack in years” last December, according to Reuters.
Suspected Russian hackers penetrated major IT management software provider SolarWinds as early as September 4, 2019, spreading to more than 3,000 of the firm’s clients. Such clients included many Fortune 500 companies and high profile organizations, like Microsoft, Cisco Systems Inc, the US Department of Homeland Security, and the US Cyber Command.
Cybersecurity experts say the depth and breadth of this incident calls into question status quo cybersecurity practices across the world. Once penetrated, organizational networks are much more difficult to secure again. Recovering from the attack may take years, according to Tom Bossert, former President Trump’s homeland security officer.
Here’s what happened, and what you need to know to prevent future compromise.
How the Hack Turned Elite Organizations’ Security Practices Against Themselves
In Fall 2019, hackers penetrated SolarWind’s network management tool, Orion, inserting the SUNBURST malicious code. The company unwittingly pushed updates containing the compromised code that ripped backdoors into their client’s IT systems, into which hackers installed even more malware to further their surveillance efforts.
Compromising Orion wasn’t the end goal, though. Instead, the backdoor was used to access SolarWinds’ SAML-tokens, which transmit sensitive data— like usernames and passwords—in concert with the SSL encryption protocol.
From there, hackers entered their networks through forged security certificates. After that, hackers were able to quickly move laterally throughout the network, escalating their privileges and compromising any number of systems under that network’s umbrella.
What The hack Tells Us About Modern Cybersecurity Practices
The incident reveals the weaknesses of current cybersecurity practices, commonly referred to as the “castle and moat” approach, where a premium is placed on perimeter security. The model’s lack of rigorous user access controls is frequently exploited by hackers, who usually exploit easy points of entry and escalate administrative privileges.
This attack effectively illustrates the need for zero-trust security architecture.
What’s zero trust?
It’s basic premise: “never trust, always verify.” That means securing access to networks through a process of authentication of the user’s machine, authorization of the user behind the device, and the verification of user’s security credentials.
Additionally, zero trust mandates that access to sensitive resources are granted on a least-privilege basis, in other words ensuring access only to staff that absolutely need a given resource.
Finally, rigorous logging is employed to track all traffic through specific inspection points to help enforce least-privilege access rules.
How Zero-Trust May Have Prevented SolarWinds
A core tenant of zero trust is adopting a state of assumed breach. Meaning all requests are inherently untrusted and must be verified.
There are no silver bullets when it comes to security and while companies couldn’t do anything to protect themselves from the attack’s first phase, as that compromise was on the service side, they could have better protected their network through stronger user authentication and verification.
Before users are granted access to sensitive resources or applications, Zero-trust architecture mandates that users prove both their identity and that of the device they’re using. Requiring multiple verification factors, which are continuously reviewed, zero-trust ensures that foreign actors aren’t using falsified security tokens.
What’s more, such architecture limits access to sensitive resources even after network access is granted using techniques such as just-in-time and just-enough-access (JIT/JEA), securing an additional layer of protection. And by limiting this access to only those who need it, commonly called least-privilege, the pool of potential social engineering targets are greatly reduced. This security layer could have prevented the lateral movement hackers demonstrated after breaching the Orion platform.
In sworn testimony from US CISO Christopher DeRusha, the official told the Senate Homeland Security and Government Affairs Committee that the government should move towards zero trust and away from perimeter security.
“In this new model, real-time authentication tests users and looks to block suspicious activity and prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds attack,” DeRusha said. “Many of the tools we need to implement this model already exist within industry and agency environments, but successful implementation will require a shift in mindset and focus at all levels within federal agencies.”
What You Can Learn From SolarWind and Zero-Trust
Of SolarWind’s 36,000 customers, approximately 1800 installed the affected update. If you’re worried that your organization may be impacted and you haven’t taken steps to mitigate this attack be sure to update Orion to the latest version and follow SolarWinds guidance.
However, just because an organization doesn’t use Orion doesn’t mean they’re safe; you should contact your IT vendors or MSP to confirm that they’re not impacted. If so, ask them what they’re doing to reduce your exposure.
Organizations looking to secure themselves against a future attack should leverage a combination of improved network visibility, incident response, comprehensive vendor management and a zero-trust user access model.
You’ll also want to improve your organization’s security culture by teaching and enforcing best practices. That includes how to utilize tools like web filtering and two-factor authentication, how to create strong passwords, and how to properly configure firewalls.
Lastly, remember that your security efforts should be tailored towards the most likely and most potentially damaging threats. This means beginning with threat modeling to identify your most sensitive assets, and brainstorm the most likely paths hackers may take towards compromise. If all this sounds like too much, consider a trustworthy third-party security-focused managed IT provider like SecurIT360.
If nothing else, SolarWind is a reminder of how serious and far reaching attacks on third-parties can be to your organization. Given the wealth of consumer data now held by the average business, just about every company could be a target.