Increasing Ransomware in COVID: Responding to Double Extortion
October 10, 2020
DoppelPaymer ransomware group demands $20 Million from Kia Motors America
March 18, 2021

The Role of Admin Credentials in the SolarWinds Attack

I wanted to share my thoughts on the SolarWinds attack that has been used to target government agencies as well as other private/public companies. FireEye has an excellent write-up ( Highly Evasive Attacker Leverages SolarWinds Supply Chain to CompromiseMultiple Global Victims With SUNBURST Backdoor ) and I encourage everyone to read it to familiarize yourself with the exploit and attack paths. In the next few months I expect a number of companies to announce they’ve been impacted, and many more will unfortunately not publicly announce it.

Key attacker strategies:
The use of lateral movement from system to system using compromised administrator credentials

Early indicators show the responsible party is nation-state actor. One of the key strategies of nation-state actors is to minimize footprints to evade detection. This attack uses sophisticated methods to obfuscate the malware delivery and payload, and then pivots to lateral movement using compromised administrative credentials.

Figure: The role of administrator credentials in enabling attacker lateral movement

The Challenge with Detection:
Hard to differentiate between a valid credential and a compromised one during lateral movement

The lateral movement strategy is very difficult to detect, and attackers will be most successful at evasion with this technique. Whether it’s a nation state actor, ransomware, or other types of attacks, lateral movement through the use of compromised admin credentials continues to be one of the leading methods used in cyber attacks today. The greatest challenge with lateral movement is it’s difficult to know the difference between a valid credential being used legitimately versus maliciously.

Response & Prevention with Zero Trust Privileged Access:
Remove 24×7 administrator access so lateral movement cannot occur, even if the intrusion occurs.

While it is difficult to detect lateral movement, with the right tools, it is feasible to contain and prevent by placing your administrators into a Zero Trust privileged access model. It is possible to revoke all the access a credential has to endpoints so they cannot be used for lateral movement. Once the access is removed, any request for access can be validated with multi-factor authentication (MFA) and added back on a time limited, resource limited basis to minimize risk. The latest industry recommendation is to adopt a Zero Trust for Privileged Access model that constitutes Zero Standing Privilege (ZSP) along with Just-in-Time Access (JITA). Removing standing admin privileges across large sets of workstations/servers (ZSP) dramatically reduces the ability of an attacker to laterally move from endpoint to endpoint. Just-in-Time Access incorporates multi-factor authentication to dynamically provision an admin to the specific system, for just the amount time they need without impeding business operations. A successfully deployed ZSP/JITA model would effectively eliminate lateral movement from the SolarWinds attack.

Figure: The role of ZSP / JITA in containing attacker lateral movement

Leave a Reply

Your email address will not be published.