{"id":4474,"date":"2020-12-15T14:45:12","date_gmt":"2020-12-15T05:45:12","guid":{"rendered":"https:\/\/cyberenso.jp\/?p=4474"},"modified":"2021-07-14T18:36:51","modified_gmt":"2021-07-14T09:36:51","slug":"the-role-of-admin-credentials-in-the-solarwinds-attack","status":"publish","type":"post","link":"https:\/\/cyberenso.jp\/en\/the-role-of-admin-credentials-in-the-solarwinds-attack\/","title":{"rendered":"The Role of Admin Credentials in the SolarWinds Attack"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

I wanted to share my thoughts on the SolarWinds attack that has been used to target government agencies as well as other private\/public companies. FireEye has an excellent write-up ( Highly Evasive Attacker Leverages SolarWinds Supply Chain to CompromiseMultiple Global Victims With SUNBURST Backdoor<\/a>\u00a0) and I encourage everyone to read it to familiarize yourself with the exploit and attack paths. In the next few months I expect a number of companies to announce they\u2019ve been impacted, and many more will unfortunately not publicly announce it.<\/p>

Key attacker strategies:
<\/strong><\/i>The use of lateral movement from system to system using compromised administrator credentials<\/i><\/h4>

Early indicators show the responsible party is nation-state actor. One of the key strategies of nation-state actors is to minimize footprints to evade detection. This attack uses sophisticated methods to obfuscate the malware delivery and payload, and then pivots to lateral movement using compromised administrative credentials.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t
Figure: The role of administrator credentials in enabling attacker lateral movement<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

The Challenge with Detection:
<\/strong>Hard to differentiate between a valid credential and a compromised one during lateral movement<\/i><\/h4>

The lateral movement strategy is very difficult to detect, and attackers will be most successful at evasion with this technique. Whether it\u2019s a nation state actor, ransomware, or other types of attacks, lateral movement through the use of compromised admin credentials continues to be one of the leading methods used in cyber attacks today.\u00a0The greatest challenge with lateral movement is it\u2019s difficult to know the difference between a valid credential being used legitimately versus maliciously.<\/strong><\/p>

Response & Prevention with Zero Trust Privileged Access:
<\/strong>Remove 24×7 administrator access so lateral movement cannot occur, even if the intrusion occurs.<\/i><\/h4>

While it is difficult to detect lateral movement, with the right tools, it is feasible to contain and prevent by placing your administrators into a Zero Trust privileged access model. It is possible to revoke all the access a credential has to endpoints so they cannot be used for lateral movement. Once the access is removed, any request for access can be validated with multi-factor authentication (MFA) and added back on a time limited, resource limited basis to minimize risk.\u00a0The latest industry recommendation is to adopt a\u00a0Zero Trust for Privileged Access<\/a>\u00a0model that constitutes Zero Standing Privilege (ZSP) along with Just-in-Time Access (JITA). Removing standing admin privileges across large sets of workstations\/servers (ZSP) dramatically reduces the ability of an attacker to laterally move from endpoint to endpoint. Just-in-Time Access incorporates multi-factor authentication to dynamically provision an admin to the specific system, for just the amount time they need without impeding business operations. A successfully deployed ZSP\/JITA model would effectively eliminate lateral movement from the SolarWinds attack.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t
Figure: The role of ZSP \/ JITA in containing attacker lateral movement<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Reference: https:\/\/www.remediant.com\/blog\/the-role-of-admin-credentials-in-the-solarwinds-attack<\/a><\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

I wanted to share my thoughts on the SolarWinds attack that has been used to target government agencies as well as other private\/public companies. FireEye has an excellent write-up ( Highly Evasive Attacker Leverages SolarWinds Supply Chain to CompromiseMultiple Global Victims With SUNBURST Backdoor\u00a0) and I encourage everyone to read it to familiarize yourself with the exploit and attack paths. [\u2026]<\/span><\/p>\n","protected":false},"author":1,"featured_media":4501,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,12],"tags":[],"class_list":["post-4474","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-latest_news","category-read_article"],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/cyberenso.jp\/wp-content\/uploads\/2020\/12\/login-1203603_1280.png?fit=1280%2C720&ssl=1","_links":{"self":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/4474"}],"collection":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/comments?post=4474"}],"version-history":[{"count":18,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/4474\/revisions"}],"predecessor-version":[{"id":5056,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/4474\/revisions\/5056"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media\/4501"}],"wp:attachment":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media?parent=4474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/categories?post=4474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/tags?post=4474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}