beebright - stock.adobe.com
In the wake of the supply chain attack on SolarWinds, security experts and vendors are examining defenses against such threats that compromise a large number of organizations using one initial target.
During the attack last month, nation-state hackers planted a backdoor in software updates for SolarWinds Orion platform, which could be activated when customers updated the software. One customer, FireEye, was the first to disclose the backdoor, which it dubbed "Sunburst." The cybersecurity company had previously reported that the nation-state attack it had suffered recently was the result of a massive supply chain attack on SolarWinds. Since then, additional attack vectors and victims have been revealed, including government agencies and major technology companies that were impacted at varying levels.
One of those tech giants was Microsoft; the company's network was infiltrated and its source code was viewed but not altered. In the wake of these attacks, Microsoft released a blog post on how to protect against what it refers to as "Solorigate." In the post released Dec. 28, Microsoft described the incident as "a supply chain compromise and the subsequent compromise of cloud assets."
Much of the defense against SolarWinds attacks revolves around securing accounts and credentials, which were abused by nation-state hackers following the exploitation of the backdoor.
"To gain access to a highly privileged account needed for later steps in the kill chain, the attackers move laterally between devices and dump credentials until an account with the needed privileges is compromised, all while remaining as stealthy as possible," the blog post said. "A variety of credential theft methods, such as dumping LSASS memory, are detected and blocked by Microsoft Defender for Endpoint."
For example, security teams can choose queries that search for enumeration of high-value dynamic content assets followed closely by repeated logon attempts, which could be a sign that threat actors are attempting to validate stolen credentials.
Many mitigation steps were taken in the immediate aftermath of Sunburst's disclosure, from SolarWinds released new updates for the Orion platform to the development of a kill switch to prevent the activation of the backdoor. But in addition to taking action around indicators of compromise for Sunburst and updating endpoint security programs, experts are urging organizations to focus on protection. There are multiple models to protect against such threats, including zero-trust access, behavioral monitoring and other account protections.
Defending accounts and credentials
According to Richard Stiennon, chief research analyst at IT-Harvest, zero trust means applying access rules based on user identity and application, which means no more network controls. "Behavioral monitoring can cover the gap left by zero trust where an authenticated user may abuse their granted privileges," he said.
Both can help defend against sophisticated attackers.
Stiennon along with other security experts told SearchSecurity that implementing a zero-trust network and behavioral monitoring can be beneficial against nation-state hackers like the Russian group Cozy Bear, suspected as the operators behind the SolarWinds attack.
Nation-state actors generally focus on lateral movement to understand an organization's environment, said Diana Kelley, an analyst at The Analyst Syndicate.
"They create accounts and other backdoors to allow them reentrance into a network even if the initial malware or trojans are deleted. Zero trust and behavioral monitoring help in both cases," she said in an email to SearchSecurity.
Digital Shadows CISO Rick Holland said a defense strategy against nation-state actors should focus on detection and response, rather than prevention. "You want an architecture that provides as many detection possibilities as possible, and zero trust can help with that," he said in an email to SearchSecurity.
Zero trust typically involves several components, including network segmentation and additional user and device authentication beyond simple usernames and passwords. That way, if an attacker does obtain such credentials, the access could be denied or, at least, lateral movement will be limited to specific parts of a network.
Dmitriy Ayrapetov, vice president of platform architecture at SonicWall, said a zero-trust network design is a principle that helps with reducing the impact of an attack by containing the attacker and limiting their lateral movement.
"On the other hand, a zero-trust network will make an adversary work harder, significantly tripping more alarms and increasing the opportunity for detection by forcing the attacker to cross more "gates" via impersonation or other techniques," he said in an email to SearchSecurity.
Both zero-trust network segmentation and behavioral monitoring help in detection, said Karl Sigler, senior security research manager for SpiderLabs at Trustwave. "They have great potential for blocking and alerting you to targeted, complex attacks like those coming from nation-state attackers and APT campaigns."
Behavioral analytics for account and device monitoring has been lauded by many identity and access management experts for years as a way to not only block basic credential theft and misuse but also more sophisticated threats from nation-state actors. Monitoring activity such as suspicious logins, downloads and application usage can alert security teams to potential stolen credentials.
Challenges and limitations
While Ayrapetov said zero-trust networks are one of the tools that helps to mitigate and detect such attacks, they are "not a silver bullet for the insidiousness of supply chain attacks." One downside is in the technical details.
"The proper set up and maintenance of zero-trust networks and effective behavioral monitoring implies a very holistic and mature security setup already exists," Sigler said.
There are also some limitations to behavior monitoring. Regarding the SolarWinds incursions, the attackers seemed aware that behavior monitoring could detect their activity, Stiennon said. "So they masqueraded as SolarWinds Orion network traffic wherever they could. This is where the entity part of user and entity behavior analysis is valuable."
Another unpredictable aspect of any defense strategy is the persistence of the attackers.
"Zero trust and behavioral monitoring are better defenses against nation-state actors, but at the end of the day, if a sophisticated and well-funded actor plans to target your organization, keeping them out will be always be a challenge," Holland said.
Ayrapetov agreed that the SolarWinds attacks demonstrate that a sufficiently dedicated and resourced attacker will always find a way to get in.
"Assuming that someone is already in an organization's network is a mindset that is key to successfully modeling for network and infrastructure security," he said.
Additionally, the implementation of a successful zero-trust network can pose challenges.
"Before deploying the latest and greatest zero-trust principles, I suggest making sure the 'security basics' are addressed," Holland said. "Don't deploy administrative consoles on public-facing networks. Enforce multifactor authentication to prevent account takeovers. Monitor your attack surface and take a risk-based approach to vulnerability management."
Sigler said that a good defense against potent threats such as the Sunburst campaign starts with people.
"The best thing any organization can do is invest in their information security staff. Invest in that team's education, skills and tools and then listen to them," Sigler said. "With a proper staff of experienced professionals, the other security controls will begin to fall into place. Without them, tools and controls like zero trust and behavioral monitoring are next to useless."