Hear from CIOs, CTOs, and other senior executives and leaders on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more
Among the many lessons from SolarWinds’ unprecedented cyberattack, there’s one that most businesses haven’t quite grasped yet: Identity infrastructure itself is a prime target for hackers.
That’s according to Gartner’s Peter Firstbrook, who shared his take on the biggest lessons learned about the SolarWinds Orion breach at the research firm’s Security & Risk Management Summit – Americas virtual conference this week.
The SolarWinds attack, which is approaching the first anniversary of its disclosure, has served as a wake-up call to the industry because of its scope, sophistication, and method of dissemination. Attackers compromised the software supply chain by inserting malicious code into the SolarWinds Orion network monitoring application, which was then distributed as an update to approximately 18,000 customers.
The breach went undetected for a long time. The attackers, who were linked to Russian intelligence by US authorities, reportedly had access for nine months to “some of the most sophisticated networks in the world,” including cybersecurity firm FireEye, Microsoft and the US Treasury Department, said Firstbrook, vice president of research and analyst at Gartner. Other federal agencies affected included the ministries of defense, state, commerce and homeland security.
Firstbrook spoke about the SolarWinds attack, first disclosed on December 13, 2020 by FireEye, during two Gartner summit talks this week. The identity security implications of the attack should be a priority for businesses, he said during the sessions, which included a question-and-answer session with reporters.
Focus on identity
Asked by VentureBeat about its biggest takeaway from the SolarWinds attack, Firstbrook said the incident demonstrated “identity infrastructure is a target.”
“People have to recognize it, and they don’t,” he said. “This is my biggest message to people: you spent a lot of money on identity, but it’s mostly how to let the good guys in. You really have to spend the money to figure out when this identity infrastructure is compromised and to maintain that infrastructure.
Firstbrook cited an example where SolarWinds hackers were able to bypass multi-factor authentication (MFA), which is often cited as one of the most reliable ways to prevent an account takeover. The hackers did this by stealing a web cookie, he said. This was possible because outdated technology was used and classified as MFA, according to Firstbrook.
“You must maintain that [identity] Infrastructure. You need to know when it was compromised and when someone has already obtained your credentials, or steals your tokens and presents them as real, ”he said.
Managing digital identities is notoriously difficult for businesses, and many suffer from the proliferation of identities, including human, machine, and application identities (as in robotic process automation). A recent study commissioned by identity security provider One Identity found that almost all organizations (95%) report challenges in managing digital identity.
SolarWinds attackers took advantage of this vulnerability around identity management. In a session with Gartner’s full conference Thursday, Firstbrook said the attackers were actually “primarily focused on attacking the identity infrastructure” during the SolarWinds campaign.
Other techniques that were deployed by attackers included stealing passwords that allowed them to elevate their privileges (known as kerberoasting); SAML certificate theft to enable identity authentication by cloud services; and creating new accounts on the Active Directory server, according to Firstbrook.
With these successes, hackers were at one point able to use their presence in the Active Directory environment to move from the on-premises environment where the SolarWinds server was installed to the Microsoft Azure cloud, he said.
“Identities are the connective tissue that attackers use to move sideways and to move from one domain to another,” Firstbrook said.
Identity and access management systems are “clearly a rich targeting opportunity for attackers,” he said.
Microsoft recently released details of another attack believed to come from the same Russian-linked attack group Nobelium which involved an implant for Active Directory servers, Firstbrook said.
“They were using this implant to infiltrate the Active Directory environment – to create new accounts, steal tokens and be able to move sideways with impunity – because they were an authenticated user in the environment,” he said.
Tom Burt, corporate vice president at Microsoft, said in a blog post in late October that a “wave of Nobelium activity this summer” included attacks on 609 customers. There were nearly 23,000 attacks on these customers between July 1 and October 19, “with a single-digit success rate,” Burt said in the post.
Identity infrastructure monitoring
A common question in the wake of the SolarWinds breach, Firstbrook said, is how do you prevent a supply chain attack from impacting your business?
“The reality is you can’t,” he said.
While companies must do their due diligence as to which software to use, of course, the chances of detecting a malicious implant in another vendor’s software are “extremely low,” Firstbrook said.
What businesses can do is be prepared to respond in the event that this should happen – and a central part of that is to keep a close eye on identity infrastructure, he said.
“You want to monitor your identity infrastructure for known attack techniques and start thinking more about your identity infrastructure as your perimeter,” Firstbrook said.
VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the topics that interest you
- our newsletters
- Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
- networking features, and more
Become a member