In the cyber world, it turns out that a ton of prevention is actually only worth an ounce of a cure. Especially if there is no one available for a diagnosis or prescription. By its own reckoning, having burrowed so deep into foreign cyber networks, the government should have been able to detect or disrupt the massive Russian-sponsored cyber compromise of the SolarWinds Orion software and the follow-on campaign inside customers’ networks.
For years, the defend forward strategy has been akin to Sherlock Holmes’s shadowy and quirky group of tipsters, embedded everywhere in society; if they reported unusual doings back to him, he’d know something big was amiss because his sources were everywhere. Intuitively, it makes sense: the more you work to prevent something, the better off you will be. But the scale of the Solar Winds breach shows us how default human intuitions are simply unsuited for the complexities and realities of the highly connected and interdependent digital domain.
Turn Big Events Into Little Ones
The best way to respond to major cyber intrusions is to turn big events into little ones. That is to say that detection and diagnosis are key. Most major ransomware events, headlining data breaches, and large insurance losses all share some common factors. Silent failures, or unsuitably slow detection when measured against cognizance of the threat, drive disproportionate negative impacts. If we are to build resilience into our critical systems, we must devote more attention to our ability to detect and respond to serious events. Too many cybersecurity practitioners wish to focus undue attention on the digital equivalent of the common cold or an average seasonal flu year. Attacks on core protocols and assumptions in our modern networks are catastrophic risks - where are the calls for more thoughtful discourse from our digital epidemiologists?
So let’s focus on what real-world breach detection -- when someone unauthorized gets in and gets past standard perimeter security devices and endpoint security devices -- entails. Supply chain security in the SolarWinds breach is a distraction from the real issue in the central stages of the attack on end-customers.
Just like Pinocchio’s wish to be a real boy - every attacker wishes to become real authenticated traffic on a network. That’s why foundational identity providers and protocols were exploited and used by the attackers. Vulnerabilities and protocol limitations allow attackers to move from their initial entry point to their target. Entry points can be from SolarWinds Orion, a phishing email, a misconfigured server facing the internet. There are myriad ways to initiate an attack.
The lateral movement techniques in the SolarWinds supply chain attack are impressive but not fundamentally new. QOMPLX and Microsoft have both published extensively on on-premise identity attacks since 2014. CyberArk and QOMPLX have both published research on cloud authentication forgeries and federated identity attacks allowing on-premise resources to compromise cloud environments since 2017.
Detection Is The Key
If the government had detected the attempt to abuse authentication protocols and forge Kerberos tickets and SAML tokens, it could have responded rapidly. Since attackers were not detected during the critical lateral movement and privilege escalation phase, they became legitimate traffic on the target networks - blending in with all other authorized users and bypassing other security controls.
Let’s underscore what this actually means. Russian-sponsored operators became administrators of parts, or in some cases the entirety, of target networks in government and corporate clients. This includes the ability to add or modify users, access or change data, or modify other services and configurations. It also means they likely set up ways to regain access to these networks later, even if part of their operation might get caught.
In fact, this same basic problem -- bad actors forging credentials or creating fake identities to gain access to a system, and then finding ways to steal data to later exploit, sell or ransom -- has become a mainstay of both ransomware gangs and nation-state cyber espionage tradecraft. The same tools and protocols are used by companies and governments around the world.
An Eye On Privileges And Authentication
The second way to reduce harm is to minimize the blast radius of any given intrusion. You can only do that if you have deep visibility into privileges and authentication events in the network. This requires specialized instrumentation and analytics - even though identity security and authentication protocol weaknesses were a major underlying factor in the 2014 breach at the Office of Personnel Management there are still no widespread controls across the federal government to address pervasive security issues in network authentication.
Many of the government agencies and companies that initially rushed to declare that SolarWinds “no impact” didn’t collect or store adequate information about authentication events, DNS logs, or external proxy data with sufficient archival history to fully investigate the breach over the entire suspected window. Since many organizations didn’t ever collect all the data or portions of collected data were deleted as they aged, many announcements claiming “no evidence of a breach” had little to do with the breach and more to do with inadequate defensive practices. Ensuring long-term storage and sufficiently detailed data collection would be a force multiplier for post-incident containment and response efforts. The federal government should direct considerable efforts here. Failing to record a robbery or bother installing an adequate security system is not a reason to actively state no evidence of a crime.
As the Biden administration sorts out its cyber priorities, defending our homeland should be front and center. Proper investment in our people and cultural acknowledgment that cybersecurity defenders have an extremely important role to play is key. Rapid detection and response is much more likely to impose asymmetric costs on our adversaries than our current approaches demonstrate. Gaining sufficient observability, building appropriate response capacity, and then developing more mature risk management via consequence-based scenarios is both necessary and urgent.