The fallout from the massive security breach known as SolarWinds continues, as multiple Congressional committees have begun digging into the “whys” and “hows” of the incident.
Those inquiries brought a quartet of corporate executives to a hearing by the Senate Committee on Intelligence last week. Their message: preventing another SolarWinds style attack is unlikely, while big changes in both tools and processes are needed to respond to such attacks.
The four executives: Microsoft President Brad Smith, FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and George Kurtz, the CEO of CrowdStrike provided perspectives on the incident both as victims of the attack (with the exception of CrowdStrike) and as companies that had done much of the work of analyzing the attack and educating the world about what happened. They faced an audience of sympathetic, but concerned, lawmakers.
“The big question is ‘how did we miss this and what are we still missing and how do we make sure that something like this ...never happens again?’” said Senator Marco Rubio of Florida.
‘Kumbaya’ on Security Fundamentals
The answers to those questions from the assembled executives were remarkably harmonious, but also hinted at the difficulty of addressing the underlying problems that set the stage for the SolarWinds compromise.
There was plenty of low hanging fruit to pick. Organizations need to disclose cyber incidents when they occur and share information with their peers and the government so that awareness of ongoing campaigns is widespread, the executives agreed. “The basic problem is that information exists in silos in the government and in companies and it doesn’t come together,” said Smith. “It is time to talk about- and take action to impose -in an appropriate manner- some notification obligation on entities in the private sector,” he said.
Organizations of all stripes should adopt “zero trust” networking within their IT environments to protect against the kind of lateral movement that characterized the SolarWinds compromise (and most other breaches, as well). SolarWinds CEO Ramakrishna said his company is embracing zero trust concepts and secure development methodologies, after being roundly criticized for failing to detect the compromise of its software build system. Microsoft’s Smith and Crowdstrike CEO George Kurtz also called for organizations to adopt that model as a replacement “today’s antiquated authentication architecture.”
There was also agreement that the federal government needed to do more to coordinate public and private response to sophisticated cyber attacks. Mandia of Crowdstrike cited the Federal Aviation Administration’s (FAA’s) Aviation Safety Reporting System as one existing, “non-punitive” model that could be adapted to tracking cyber security threats and attacks
Almost everyone who testified agreed that software development organizations (and that’s pretty much everyone these days) need to embrace secure development lifecycle methodologies to produce more secure and resilient software. Among them: SolarWinds, which Ramakrishna said would be adopting secure development lifecycle methodologies to produce a “best in class secure software development model.” Better ‘late’ than ‘never,’ I suppose.
Looking past that low-hanging security fruit and up to the higher branches, however, the executives noted some areas of deep concern.
First, while the SolarWinds Orion was a major vector of attack in this incident, it wasn’t the only means by which companies were compromised. Mandia of FireEye placed the SolarWinds on a “multi decade” timeline of sophisticated Russian incursions into U.S. government and corporate networks. Smith of Microsoft noted that the SolarWinds attackers used other means to gain access to target environments as well, including less sophisticated “password spraying” attacks.
More worrying: both he and Ramakrishna noted that the Sunspot malware that compromised SolarWinds automated build processes for the Orion product was easily adaptable to other development environments. “To me, this is a more portable attack than just SolarWinds,” Mandia said. Ramakrishna agreed. “It poses a great risk of automated supply chain attacks to many software development companies since the software processes that SolarWinds uses are common,” he told the senators.
Adieu for AD?
Finally, both Kevin Mandia and George Kurtz sent up warning flares about what Kurtz described as the “systemic weaknesses in Windows authentication architecture” - namely: Microsoft’s Active Directory and Active Directory Federated Services (ADFS).
The SolarWinds attackers’ first target after gaining a foothold on victims’ networks were the “keys and tokens” needed to disappear within those environments, Mandia said. “We had a first hand account of what they did,” he said. “They went for keys and tokens (and) basically stole your identity architecture so they could access your networks the way our people did,” he said.
Kurtz said the SolarWinds attackers skill at taking advantage of the limitations of Active Directory and ADFS was among their most impressive feats. So-called Golden SAML attacks on Active Directory and cloud based applications linked via ADFS allowed the SolarWinds attackers to move laterally within the network as well as between network and cloud environments by “creating false credentials, impersonating legitimate users and bypassing multi factor authentication,” Kurtz said.
There’s no easy fix for that problem. Smith suggested that organizations should look to move more of their IT operations to the cloud, noting that Microsoft only became aware of the SolarWinds compromise once the attackers penetrated to cloud-based applications like Office365 that run on infrastructure Microsoft manages. “Until we move more people to the cloud, we will operate with less visibility than we should,” he said.
Kurz, however, cautioned that the problem was bigger than merely migrating to the cloud. Architectural limits in Active Directory and ADFS enabled attacks like Golden SAML that enabled the SolarWinds hackers to bypass two-factor authentication. That attack was first documented in 2017, he noted, and is simply a ‘cloud-scaled’ version of a type of attack he first demonstrated in the late 1990s.
“We need to enhance identity protection and authentication,” Kurz told the senators. “As organizations continue to embrace cloud services and ‘work-from-anywhere’ models, enterprise boundaries continue to erode. This trend increases the risk of relying on traditional authentication measures and further weakens legacy security technologies.”
Microsoft has come to this same conclusion, though Smith revealed little about the company’s internal deliberations at the hearing. As we noted in December, however, Microsoft has released updated guidance as part of its "Privileged Access Strategy" series for customers, abandoning its recommended ‘best practice’ architecture for securing Active Directory on-premises, known as the Enhanced Security Admin Environment (ESAE) or “red forest” architecture.
All of this leaves enterprises and other security-conscious organizations in a tight spot. Many firms continue to support on-premises identity infrastructure. For them Red Forest was Microsoft’s strategy for making AD more resilient to large-scale attacks, such as those from ransomware actors. But now, Microsoft has declared Red Forest dead—even as it continues to implement something similar internally. As QOMPLX CSO Andy Jaquith noted at the time, “on-premise is declared to be an anti-pattern, replaced by many more belts, a closetful of suspenders, and an embrace of the Microsoft cloud, which requires the costly E5 enterprise license.”
Doubling down on AD in the cloud isn’t likely to be an attractive option, especially given the acknowledged faults of on-premises Active Directory. In the short term, Microsoft’s “belts and suspenders” approach may be inevitable. In the longer term, however, look for companies to embrace the calls of Kurz and others to move away from “traditional authentication measures” and towards something else. What- or who that is, we still don’t know.