SolarWinds: Hard Lessons, Actions to Harden
There has been plenty of buzz around the SolarWinds breach and for good reason. Details of the attack and its widespread consequences are coming out in chunks. Expect it to get chunkier in the months ahead. The one thing not really being discussed is what you can do with your existing applications, services, and related Active Directory components to secure your own infrastructure and identities. If there was a silver bullet to protect applications and services, it’d be worth its weight in gold. Alas, there is no one thing, much less 100, that can be done to secure your environment 100%. What’s important is educating your admin and security teams so they can configure service accounts, AD, Group Policy, services, and applications to mitigate imminent threats.
Where does Active Directory
fit into the SolarWinds attack and breach?
Historically, attacks and breaches are reported at a high level. That means there are few specifics provided on the initial breach, lateral movement, privilege escalation, and the finer details on how the malicious code performed said breach. There are some attacks, like the one launched against the United Nations, which clearly indicate that Active Directory was the main target in order to move quickly through the network once AD privileges were obtained.
Just recently, FireEye broke down the SolarWinds SUNBURST attack. According to FireEye, if the network did not include Active Directory, the attack would stop.
“The backdoor also determines if the system is joined to an Active Directory (AD) domain and, if so, retrieves the domain name. Execution ceases if the system is not joined to an AD domain.”
SUNBURST Additional Technical Details
This proves that attackers are not only relying on AD, but if AD is not in the picture, they will move on to a completely different organization. This also shows that although securing applications and services is essential, the attacker needs to move beyond the initial breach to accomplish their goals. They need to leverage the core of identity management for the organization, which is nearly always Active Directory.
Key attack details
Insights into how the attackers were able to compromise SolarWinds Orion Platform are intriguing, but there are many ways an attacker can enter the environment. In the past, attackers have just come through endpoints using phishing and social engineering attacks. Now they’ve added applications, tools, and services to their list of entry points, as detailed by the Infosecurity Group.
With the SolarWinds attack, the details have proven the bad actor was able to bypass federated identity solutions and leverage forged authentication tokens, allowing them to easily move laterally to Microsoft cloud environments. Unsurprisingly, these steps are nearly identical to the other attack patterns after compromising the first device in the environment.
Although Microsoft stated on February 4 that its software and tools were not used in any way in the SolarWinds attack, analyses from prominent security vendors indicate otherwise:
Ensuring 100% protection against initial compromise is improbable. Each new breach proves that. However, we can learn from the SolarWinds post-breach details (and other notable attacks) that the goal is to move laterally and gain privileges within Active Directory. Once this is achieved, movement to the rest of the network and devices is dead simple to execute and hard to detect.
The biggest lesson is also the simplest: always be ready for anything! Attackers are moving at a breakneck pace, developing innovative ways to infiltrate our networks, move laterally, and gain privileges. Thus, we need to match and exceed their innovation to get ahead of them. This requires, in the context of security, both prevention and detection solutions.
First, the concept of least privilege must be used at every turn. Endpoints to domain controllers need to be configured with least privilege access from the OS level to third-party services. If least privilege equals a level of privilege that can make changes in Active Directory, then additional steps must be taken to protect these accounts. PAM and IAM solutions are not enough, although they are a good start. Since attackers are targeting AD-exposed threats, the existing threats in AD must be mitigated ASAP.
Second, with AD being the main lateral movement and privilege escalation target in this attack, securing all AD accounts is paramount. This means that not only do the accounts and their settings need to be secured, but security needs to be maintained. 24×7 automatic analysis solutions that can detect complex relationships between AD objects/attributes and AD controls (ACLs, configurations, trusts, etc.) should be included. The attackers are using enumeration tools that “sit and wait” for an AD threat to be exposed, which they can then act upon swiftly. Detecting these attack pathways in real time will give the organization the head start to shut down any new threats as soon as they are uncovered.
Finally, attack detection solutions need to be in place. Nearly all the reports indicate that password spraying and password guessing techniques were used to compromise not only normal accounts, but privileged ones. Yes, increasing password complexity and length is a good start, as are MFA solutions. Until organizations can get to this level of password security, however, real-time detection of password related attacks must be implemented so they can inform the IT staff and security team immediately to halt the attack.
Since every organization is facing an unprecedented threat level, action should be taken immediately to protect the data, network, and organization as a whole. At a minimum, address the following tasks for applications, services, and the Active Directory environment as soon as possible:
Applications and services
- Configure any service accounts with least privileges (both in the application/service and AD)
- Limit the service account logon access to only the machines where the application/service is running
- Patch and update to the latest version of the product
- Configure the application/service with the most secure options
- Ensure all ports and communication protocols are secured
- Isolate the machines from the network where possible, only allowing communications with other essential devices
- Perform an in-depth, broad evaluation of the existing domain controllers and AD-related security settings
- Mitigate any and all existing threats related to domain controllers and AD
- Ensure Group Policy is being leveraged to push security settings to user and computer accounts
- Ensure Group Policy is secured for management and access
- Ensure AD is secured for management and access
- Implement a solution able to monitor for new threats as they appear
Together, this will create a solid foundation upon which other solutions in your environment can work to fill the security gaps among your devices and network. SIEMs, AD monitoring, firewalls, EDR, etc. all work with solutions that can secure AD. There is no one solution that does it all, so a layered and broad set of solutions is best.
It’s unfortunate that it takes a breach the caliber of SolarWinds to get the attention of organizations to only now evaluate security. Nearly all the lessons and suggestions are far from new. Most breaches can be negated with good security practices and hygiene. Of course, some attacks can still succeed, but with less consequences and fallout. We must be diligent and put security first, so that all industries can reduce attack surfaces and negate more attacks. Following the actions outlined here is a great starting point. Fortunately, they require relatively minimal effort. In any organization, creating a layered and broad set of security solutions for all devices and networks is mission critical.