Virsec Blog: Important Take-Aways from the SolarWinds Attack
Written by Satya Gupta, Founder and CTO, Virsec
In our ongoing analysis of the SolarWinds attack and fallout, following are recommendations for best practices that should be followed to reduce the risk of attack.
IT Best Practices
1. Password Changes: It is imperative to force password changes regularly (especially for domain access and email services), so that the attacker does not get unfettered access for extended periods of time. Volexity has published a very helpful blog on how to purge the aftermath of the malware unleashed via a SolarWinds update. Another very helpful resource on how to perform remediation steps has been published by the NSA. Similar remediation advise has been put together by DHS as well.
2. Least Privilege: It is always best to run services such as authentication, authorization, NTP, DNS, email etc. that assist the main workload, with the least possible privileges. When an application or service gets breached through a vulnerability, the attacker inherits the privileges of the attacked application or service. Therefore, a service running with administrative privileges can be very “helpful” to the attacker. By running services with the least amount of privileges, one would be bounding the damage an attacker can cause in the exploitation phase.
3. End-User Training: It cannot be stressed enough that training end-users for spotting phishing attacks is extremely important. Organizations should seriously consider using client certificates for establishing trust.
4. Authentication: Standard Username and Password based authentication mechanisms are seriously flawed. For critical systems it’s always preferrable to use two-factor authentication or other additional identification mechanisms.
5. Auditing Build Systems: Given the demonstrated ability of attackers to tamper with software supply chains, it’s critical for organizations to enforce strict auditing on build systems.
Don’t Rely on Indicators of Compromise (IOCs)
Many security solutions rely on identifying Indicators of Compromise (IOCs) to identify attacks. These are inherently reactive, use significant amounts of guesswork, and for serious breaches are often too little, too late. The SolarWinds attacks have demonstrated that advanced attackers can cleverly hide evidence to avoid triggering conventional security systems.
By infiltrating into the SolarWinds CICD pipeline, the attackers were able to get their backdoor source code digitally signed by the SolarWinds build process. There are three very important factors at work here:
1. The process of digitally signing an image requires a special hardware security module (HSM) where the private keys of the code signing certificate are ensconced. It is almost impossible to steal the certificate and private keys from the HSM. The attackers developed a very intimate understanding of the SolarWinds infrastructure.
2. The backdoor code blended into the pristine SolarWinds code base in such a subtle way that it neither attracted the attention of peers who must have reviewed the code or the static analysis tools that look for coding standard violations. The attackers took great pains to stay under the radar.
3. The backdoor maintains total radio silence for two weeks before it activates.
These three factors demonstrate the skill and patience the attackers. Trying to build IOCs to try and contain such a skilled attacker is the equivalent of playing the arcade game of Whack-a-Mole. Finding a kill switch in mid-December 2020 is of no consolation to all those who have been getting attacked since March 2020. Most enterprises will need to rebuild servers and possibly personal endpoints.
Consider Using Application Aware Security Controls
The earliest stages of the attack on SolarWinds can be traced back to some disclosed or undisclosed Remote Code Execution (RCE) vulnerabilities in an email service, and an overly trusting authentication service. For that matter, any public facing server of SolarWinds or any other enterprise could have been used for the initial infiltration and it would have had the same detrimental effect. To really limit exposure, organizations must seriously consider using application-aware security controls that can effectively protect applications and services from RCE attacks even, if they are operating with vulnerabilities.
By contrast, depending on security controls that rely on IOCs is risky. It is important to realize that any security control that needs a threat intelligence feed is really protecting only after the attack has been discovered. In the case of SolarWinds, the attackers had free rein from March to December 2020, when the first IOCs were promptly released by FireEye. During this period, the software infrastructure of over 18,000 SolarWinds customers, including many federal agencies, were exposed.
Cybersecurity leaders now highlight the importance of application-aware security controls as reflected in Gartner’s Cloud Workload Protection Survey and the NIST SP800-53 R5 new SI-7 (17) Control for Software, Firmware, and Information Integrity. In view of the disastrous results of the SolarWinds attack, Virsec suggests this control be implemented with highest priority.
Be Aware of the Highly Expanded Attackable Surface of Workloads in the Cloud
Cloud Providers’ have developed a shared responsibility model that puts the onus on customers to protect any customizable capabilities. An improperly configured cloud service or a vulnerability can provide shell access and then go on to expose critical data (such as user credentials) to an attacker. Make sure to carefully evaluate the risk to your organization when choosing to run sensitive services like authentication in the cloud.