The Role of Admin Credentials in the SolarWinds Attack
by Tim Keeler, on Dec 15, 2020
I wanted to share my thoughts on the SolarWinds attack that has been used to target government agencies as well as other private/public companies. FireEye has an excellent write-up ( Highly Evasive Attacker Leverages SolarWinds Supply Chain to CompromiseMultiple Global Victims With SUNBURST Backdoor ) and I encourage everyone to read it to familiarize yourself with the exploit and attack paths. In the next few months I expect a number of companies to announce they’ve been impacted, and many more will unfortunately not publicly announce it.
Key attacker strategies:
The use of lateral movement from system to system using compromised administrator credentials
Early indicators show the responsible party is nation-state actor. One of the key strategies of nation-state actors is to minimize footprints to evade detection. This attack uses sophisticated methods to obfuscate the malware delivery and payload, and then pivots to lateral movement using compromised administrative credentials.
The Challenge with Detection:
Hard to differentiate between a valid credential and a compromised one during lateral movement
The lateral movement strategy is very difficult to detect, and attackers will be most successful at evasion with this technique. Whether it’s a nation state actor, ransomware, or other types of attacks, lateral movement through the use of compromised admin credentials continues to be one of the leading methods used in cyber attacks today. The greatest challenge with lateral movement is it’s difficult to know the difference between a valid credential being used legitimately versus maliciously.
Response & Prevention with Zero Trust Privileged Access:
Remove 24x7 administrator access so lateral movement cannot occur, even if the intrusion occurs.
While it is difficult to detect lateral movement, with the right tools, it is feasible to contain and prevent by placing your administrators into a Zero Trust privileged access model. It is possible to revoke all the access a credential has to endpoints so they cannot be used for lateral movement. Once the access is removed, any request for access can be validated with multi-factor authentication (MFA) and added back on a time limited, resource limited basis to minimize risk. The latest industry recommendation is to adopt a Zero Trust for Privileged Access model that constitutes Zero Standing Privilege (ZSP) along with Just-in-Time Access (JITA). Removing standing admin privileges across large sets of workstations/servers (ZSP) dramatically reduces the ability of an attacker to laterally move from endpoint to endpoint. Just-in-Time Access incorporates multi-factor authentication to dynamically provision an admin to the specific system, for just the amount time they need without impeding business operations. A successfully deployed ZSP/JITA model would effectively eliminate lateral movement from the SolarWinds attack.
Help is here if you need it:
Remediant’s SecureONE allows organizations to rapidly and precisely implement ZSP/JITA without having to deploy agents, and continuously monitors/enforces local admin privileges. If you’re dealing with the SolarWinds intrusion (or other relevant cyber attacks) and need to quickly assess or restrict a lateral movement vector, we have rapid-response teams available to assist.
- How to engage us for rapid response
- How Remediant stopped a similar incident
- Our Incident Response methodology