16.03.2021 | Thomas Bühler
Summary of the Solarwinds Attack
Advanced persistent threat (APT) cyberattacks, identity access management (IAM) and authentication management are topics in the field of information security that most security experts have probably dealt with at some point. But why do deficiencies in IAM and authentication management repeatedly lead to APT attacks? And why are they not detected even though existing identities are actively monitored? Using the SolarWinds attack as an example, we will show you how such attacks can be successfully combated.
Summary of the SolarWinds attack
On December 13, 2020, the American security company FireEye reported a large-scale, global cyber attack. The corresponding ICS-CERT Advisory was published on December 17. Many articles were subsequently published in the media.
In summary, the SolarWinds attack can be categorized as an APT attack, in which a command-and-control infrastructure is used to infiltrate companies in a targeted manner. It has been reported by several affected companies such as Microsoft and FireEye that the SolarWinds attack not only targeted the local IT infrastructure, but also caused data exfiltration from the cloud. Specifically, the Microsoft 36 Cloud was affected. The data exfiltration was achieved using different attack vectors on the authentication mechanisms. This involved forging access tokens using stolen ADFS signature keys, adding malicious identity proves as trusted domains in Azure AD, abusing privileged roles, adding unwanted authentication means for multi-factor authentication and misappropriating Azure AD Cloud applications. The overall goal was to steal important information from the affected institutions. All of these attack vectors belong to the areas of Identity Access Management (IAM) and operational Authentication and Authorization Infrastructure (AAI).
IAM and AAI as core competencies of Temet
Integral IAM and AAI concepts that are embedded in a consistent overall concept could have significantly reduced the impact of some of these attacks. The stolen ADFS signature key and the self-issued access tokens serve as an example. A key lesson learned from the incident is that ADFS servers are a Tier 0 system that is highly critical and must be hardened accordingly. Furthermore, traditional protection concepts with WAFs and account or network access restrictions for ADFS servers would have significantly mitigated the attack. A Group Managed Service Account (gMSA) in the IAM concept would have further diminished the success of the attack. A gMSA is a domain account with automatic password management that is delegated to administrators.
Role design, a true classic in the field of IAM, is also a key issue here. Specifically, it is about determining which roles are needed where. To make lateral movement of malware more difficult, no unnecessary rights should be synchronized from the on-premise world to the cloud. Sophisticated concepts can also prevent greater damage here. Furthermore, the addition of malicious identity providers in Azure AD can be countered by a well thought-out assignment of rights. If a central authentication and authorization infrastructure is also used, the establishment of uncontrolled federation relationships by individual components is also prevented.
The abuse of privileged roles is central to APT attacks, as this is how control over the infrastructure is gained. For example, a global administrator in his role can exercise complete control over the Microsoft 365 environment in the cloud. Rights can be fundamentally restricted with an effective need-to-know IAM concept and the risk can be significantly reduced via a central authentication and authorization infrastructure with risk-based authentication (RBA), anomaly detection and multi-factor authentication (MFA).
The misappropriation of applications in Azure AD Cloud is becoming increasingly popular, as such attacks are extremely promising. An attack is rarely suspected behind a familiar application that is used on a daily basis. The basic prerequisite for the secure use of such tools is generally to check cloud service provision for security. The exercise of rights via a delegation, known as oAuth2PermissionGrants, also plays a central role. Delegations can be misused. For example, user mailboxes can be accessed via the Exchange administrator role or mail settings can be changed. Here too, a central AAI can provide additional security.
Automated processes for reconciling actual access rights to IT systems are a key aspect of identity management and access control. This is also evident in the context of the SolarWinds attack, as the IAM reconciliation function can be used to identify and remove login information for suspicious services and applications. If corresponding concepts are extended to the AAI, abusive means of authentication in the form of unauthorized device registrations can also be detected and removed. One example of this is the comparison of the mobile device management database with the registered devices within the MFA service. If unknown suspicious devices are detected, they must be investigated immediately. Effective anomaly detection can also provide important information.
Outlook
It is currently difficult to predict what the future will bring in the area of APT attacks. It can be assumed that attacks will continue to be perfected and that incidents similar to the SolarWinds attack will occur again and again. It can also be observed that government-related organizations such as UNC2452 (in the case of the SolarWinds attack) are often behind such attacks. They appear to have the necessary resources to carry out highly specialized attacks.
Unfortunately, not all APT attacks can be successfully prevented. Nevertheless, companies should invest in their cybersecurity resilience as a precautionary measure in order to minimize major cyber incidents and the associated risks. This investment is an essential building block for ensuring the necessary business continuity. Because at the beginning of every major cyberattack is identity misuse.
At Temet, we support you as a customer in achieving your specific security goals. Test our extensive security know-how now.
Cybersecurity Security Architecure Strong Authentication