The Three Colors of SolarWinds
SolarWinds: An attack that will live in security infamy
2020 was marred by one of the most complete attacks in the history of cybersecurity. Whether we label it SolarWinds, Orion, or SunBurst, the aftermath has shown the spotlight on the fragility of IT defenses in the face of an organized attack.
It is now clear that a number of companies specialized in cybersecurity have suffered an intrusion tied to the SolarWinds compromise—for example: Qualys, Palo Alto Networks, FireEye, Malwarebytes, etc. (source : https://bit.ly/39Uc8O0).
Since the discovery of the mass compromise, many researchers have tried to decipher the entire chain of infection in an attempt to trace the precise attack path.
Classic techniques for major impact
Studying the various reports reveals a striking mix of traditional and innovative methods of attack. Without diving too deep into the details, we can cite the following key elements:
- The attack possesses all the characteristics of a rebound attack via a supply chain (in this case, an IT supplier)
- Use of online password attack techniques like Password Guessing (source: https://zd.net/3fV3DFY)
- Use of the Kerberoasting technique against Active Directory (source: https://bit.ly/2Rd63Wa)
- Scaling toward the Cloud from a local attack on Active Directory – a massive attack upon online services leveraging misconfigurations in the local network (source: https://bit.ly/2QeN3GA)
It is worth noting the widespread leveraging of system vulnerabilities and Active Directory misconfigurations during the attack.
A complete study from the Cybersecurity & Infrastructure Security Agency (CISA)
In light of the exceptional impact of this attack, the Cybersecurity & Infrastructure Agency (CISA) conducted a comprehensive study, delivering a detailed report on the methods utilized in the compromise. The agency analyzed the attack path to link it to the Tactics, Techniques, and Sub-techniques of the MITRE ATT&CK® Framework.
Complementary analysis and characterization of techniques
Equipped with this information, we have created a color-coded graphic showcasing the different techniques used, defined by the following elements:
- Red: techniques or sub-techniques primarily targeting Active Directory and Windows systems
- Green: techniques or sub-techniques primarily targeting Azure Active Directory and the public cloud
- Yellow: techniques or sub-techniques targeting both the Active Directory infrastructure and the Azure Active Directory cloud service
It turns out that more than 50 percent of the techniques used primarily target Active Directory.
The post-mortem study of cyberattacks is an effective way to reinforce our ability to respond to threats. The landmark nature of the SolarWinds comprise has encouraged extensive analysis, this case study included. Active Directory is at the center of the attack, and it is evident that we must prioritize and protect directory infrastructures. We invite you to consult www.alsid.com to learn how.