I wanted to share my thoughts on the SolarWinds attack that has been used to target government agencies as well as other private/public companies. FireEye has an excellent write-up ( Highly Evasive Attacker Leverages SolarWinds Supply Chain to CompromiseMultiple Global Victims With SUNBURST Backdoor ) and I encourage everyone to read it to familiarize yourself with the exploit and attack paths. In the next few months I expect a number of companies to announce they’ve been impacted, and many more will unfortunately not publicly announce it.
Early indicators show the responsible party is nation-state actor. One of the key strategies of nation-state actors is to minimize footprints to evade detection. This attack uses sophisticated methods to obfuscate the malware delivery and payload, and then pivots to lateral movement using compromised administrative credentials.
The lateral movement strategy is very difficult to detect, and attackers will be most successful at evasion with this technique. Whether it’s a nation state actor, ransomware, or other types of attacks, lateral movement through the use of compromised admin credentials continues to be one of the leading methods used in cyber attacks today. The greatest challenge with lateral movement is it’s difficult to know the difference between a valid credential being used legitimately versus maliciously.
While it is difficult to detect lateral movement, with the right tools, it is feasible to contain and prevent by placing your administrators into a Zero Trust privileged access model. It is possible to revoke all the access a credential has to endpoints so they cannot be used for lateral movement. Once the access is removed, any request for access can be validated with multi-factor authentication (MFA) and added back on a time limited, resource limited basis to minimize risk. The latest industry recommendation is to adopt a Zero Trust for Privileged Access model that constitutes Zero Standing Privilege (ZSP) along with Just-in-Time Access (JITA). Removing standing admin privileges across large sets of workstations/servers (ZSP) dramatically reduces the ability of an attacker to laterally move from endpoint to endpoint. Just-in-Time Access incorporates multi-factor authentication to dynamically provision an admin to the specific system, for just the amount time they need without impeding business operations. A successfully deployed ZSP/JITA model would effectively eliminate lateral movement from the SolarWinds attack.