How the SolarWinds Data Breach Improved Cybersecurity

Written by Chris Poer, Director Cloud Infrastructure and Services at Techgardens

By now, every IT professional is aware of SolarWinds’s security breach resulting in malware being distributed to thousands of their clients, including over 80% of US Fortune 500 companies, hundreds of top colleges and universities, and many of the most sensitive US Federal agencies.  At a high level, a state-backed Russian hacker group gained access to SolarWinds’s development environment and inserted malware into their Orion monitoring platform, which was then digitally signed and sent to over 18,000 client systems.  While the details are complex and still not 100% known, there are numerous lessons that can be learned from this unprecedented event. 

The most likely initial penetration was to an update server where an intern created a login with a very weak password (solarwinds123).  The hackers spent over a year quietly determining SolarWinds’s cyber defenses before gaining control of the environment and eventually inserting malware named Sunburst into a plugin included in Orion’s software build.   The key point is that the infected plugin made it into Orion’s build before the software was digitally signed, making it “trusted” code and thus undetectable as infected to both SolarWinds and their clients.  From there, it was uploaded into client systems where it propagated throughout their networks using several different mechanisms.  One common attack vector included migration from the initial on-premises network to the cloud where the hackers were able to breach the target’s Active Directory Federation Services (ADFS) server and forge Security Assertion Markup Language (SAML) tokens and create illegitimate registrations of SAML Trust Relationships and eventually gain administrative access to the Azure AD which with a little bit more work enabled hackers access to emails, confidential documents, and other sensitive information. 

Like most catastrophic events, a single flaw – in this case a weak password on a development server – led to a string of cascading failures across multiple systems that negatively impacted the operations of tens of thousands of organizations worldwide.  The most basic lessons that would have prevented the initial breach include:

• Utilize Privilege Password Management Systems to prevent brute force breaches of IT systems resulting from weak credentials. 

• Require Multi-Factor Authentication for access of all IT/OT servers.  
• Follow strict enforcement of code signing for all aspects of the software build process.
• Include 3^rd-party software to the list of potential breach points and strictly enforce and make sure you validate vendors’ code signing certificates prior to deployment. 
• Wait a few months before installing non-critical patches and let someone else verify it works as intended and free from infection.

However, there is a deeper lesson that involves a fundamental mindset change when it comes to cybersecurity defense.  Instead of strictly being focused on preventing breaches, cybersecurity professionals should assume that a breach will occur and deploy solutions that can identify and lock down the breaches immediately and minimize damage done.   This is no different than responsible homeowners that in addition to having door locks also have internal motion detectors that alert authorities when they sense an intrusion as well as a safe to protect their valuables.  Threat actors are very smart, technically proficient, extremely patient (SolarWinds started probing the network as early as January 2019 – almost two years before the breach was discovered, have deep financial pockets from their nation-state enablers or off of ransomware profits, and evolve quickly as cyber defenses change.  Statistically, over a long enough time frame, the odds will always be in their favor. 

There is a relatively new cyber security model called Zero Trust Architecture detailed in NIST SP 800-207 that aligns with my primary lesson from the SolarWinds’s event and calls for looking beyond the network boundaries and protecting actual resources in cyber security planning.  Copied below is the abstract from the publication.

Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources. A zero-trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud- based assets that are not located within an enterprise-owned network boundary. Zero trust focus on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.

ZTA is a framework that is too new to be fully operationalized as yet.  Fortunately, there are numerous tools at our disposal today enable which security experts can leverage to identify, remove, and minimize the damage done, including:

• Deploying a threat detection and response solution that automatically identifies and locks down malware including zero-day APT’s like Sunburst based on their behavior before they can do harm to your total environment.   

• Encrypting all data at rest and in motion.  It is shocking how many enterprises do not encrypt sensitive data at all while others only when it is at rest in storage.  Encryption at rest works great if someone makes off with a random hard disk, but professional hackers today will camp in a network for months at a time and harvest data as it is transmitted across the network.  The gold standard for protecting critical data utilizing a combination of fully encrypted (software of self) drives that utilize secure keys to protect the data while in motion.
• Deploy only FIPS 140-2 compliant hardware-based key management servers”.  The SolarWind’s breach would have been significantly reduced if Hardened Security Modules (HSM) had been deployed in infected networks as they would have blocked the TAs access to internal network controls.
• Segmenting networks wherever possible so infected networks cannot impact other systems.  This is especially critical in mixed IT/OT environments where an infection can spread to an operational system and take out a factory or pipeline, for instance.
• Implement Least Privilege (PoPL) for all processes, systems, and devices which means enforcing the minimal level of user rights, or lowest clearance level, that allows the user to perform their role.  It is especially important to audit privileges for all users periodically to catch errors and prevent privilege creep.

Conclusion

The SolarWinds breach is an important teachable moment for cyber security professionals that if taken to heart can significantly improve any organization’s cyber defense plan.  It reminds us that we have to execute flawlessly on the basics, software supply chain is an emerging threat vector that must be considered, and you need to plan for a breach as the odds are in their favor over the long term.  Fortunately, there are solutions available today that entities can implement with relative ease that will prevent breaches and malware like Sunburst from causing damage to their network and company.

I would like to highlight two Techgardens partners – Futurex and ARIA Cybersecurity Solutions – that are well-positioned to help clients minimize and even prevent damage after breaches occur.  ARIA ADR is a cyber-attack detection and response solution that automatically locates and stops all forms of attacks before causing harm by correlating logs, network traffic, behaviors, identities, and threat intel across premises, remote, cloud, datacenters, and IoT environments.  ADR uses machine learning, artificial intelligence, and threat models to identify abnormal behaviors and traffic patterns such as those created by SUNBURST automating up to 95% of the manual processes enabling attacks to be instantly shut down automatically or at the push of a button.  Futurex is a leading HSM provider that offers a full suite of on-premises and cloud-based encryption, PKI, and cryptographic solutions that will prevent the most advanced hackers from gain authority and critical access over key network assets.

ARIA Cybersecurity and Futurex are offering 3-month free trials of their solutions through Techgardens.  For more information, please contact a Techgardens specialist at 646-783-4550 or sales@nulltechgardens.com to learn how we can seamlessly implement and integrate these solutions into your network.

About Techgardens

Techgardens has a full suite of tools and services to help clients navigate the ever-more-complicated landscape of cyber security from in-house auditing and penetration testing to working with our partners to provide a full range of critical cyber security infrastructure across the entire threat environment. 

About ARIA Cybersecurity Solutions

The award-winning ARIA Advanced Detection and Response (ADR) solution automatically finds and stops the most harmful cyber-attacks, including ransomware, zero-day malware, and DDoS,  as soon as they become active on the network, and most importantly, before harm occurs. The solution leverages ML threat models and AI to do all the heavy lifting and do so quickly and continuously, 24×365, without missing attacks or making mistakes. At a fraction of a traditional security operations center (SOC) cost, ARIA ADR provides full threat-surface coverage – on-premises, data centers, remote devices, and the cloud – and it can be operated anywhere by IT resources with little to no cybersecurity training.  With ARIA ADR, the damage experienced at the hands of the SolarWinds, Microsoft Exchange attacks would not have occurred. Watch 3-minute overview

About Futurex

Futurex’s mission is to be the leading provider of cryptographic solutions in the world. We strive to enhance transaction speeds, embrace new technologies and establish innovative standards within our industry. Key capabilities include:

• Hardware security modules for payment and general-purpose data encryption.
• Key and certificate authority issuance and management which includes code-signing.
• Data protection for critical information at rest and in motion.