Don't Wait, Keep Ahead of Hackers
Updated: Mar 16, 2022
One of the keys to making progress on securing an environment is not waiting to implement big-bang solutions that seem like they should fix everything. Start now, start small – every improvement makes a difference.
Since the SolarWinds hack became public late last year, Hybrid Pathways has been helping enterprise clients scope out their response to the compromise. Unpacking the numerous bulletins, blogs and detection tools has led to some critical areas to focus on as part of the response efforts.
While the majority of the specifics are currently Microsoft centric, items such as federation, privilege management and monitoring transcend platforms and similar controls can be identified within solutions such as Google G Suite and the other major cloud service providers.
The recommendations below are foundational to a properly secured and managed cloud environment. These recommendations should be top of mind even if the SolarWinds incident was not impactful to a given environment. Taken individually, the best practices below will each improve the security of an environment. Together, they provide a multiplicative improvement in security.
Some areas to examine for potential improvement:
Secure and manage the lifecycle of all cryptographic secrets, including directory federation keys:
Lateral movement was achieved in the SolarWinds compromise in large part via the exploitation of federation to and from the Microsoft cloud. Protection of the keys used to sign federated authentication requests often lags behind that of other patterns such as encryption of data in transit and at rest. Managing these keys as part of the broader company key management lifecycle is an immediate step to consider if not already in place. Additionally, the establishment of a federated trust to collaboration platforms such as Microsoft Office 365 or Google G Suite is an event that generally should not happen more than once across a period of several years and any changes to configuration in this area should be actively monitored and clearly stand out as anomalous.
Activate add-on Privileged Identity and Access Management features in your existing technology:
To make the changes to federation components noted in the prior bullet requires some level of elevated privilege and the use of privileged identity and access management tools stands out more than ever as a critical control in any large enterprise. You may already own tools that just need to be turned on, or can be activated for a nominal charge. Microsoft Office 365 offers built in capabilities (assumes advanced licensing) for privilege check-in/check-out, the Microsoft Rapid Modernization Plan (RAMP) replacement for ESAE/PAWS offers administrative segregation via the Azure cloud, and a tool such as your Thycotic implementation offers robust privileged role and privileged session-based capabilities.
Utilize an Indicator of Compromise (IoC) Tool:
The majority of the post-event tools are designed to search a very predictable set of indicators of compromise (IoC) within the Office 365 and Azure platforms. These IoC’s can and should be added to current security monitoring tools to detect any future attempts to exploit similar attack vectors. Additionally, tools such as Alsid (being acquired by Tenable) are purpose built to identify the potential for exploits of critical identity capabilities such as Active Directory, and the more that “identity as a perimeter" becomes a reality vs. a slogan, the more critical these identity components become.
Secure code development and code acquisition lifecycle:
While most of the MITRE ATT&CK® Techniques from the CISA bulletin referencing software lifecycle are likely pointing to the initial compromise of the SolarWinds Orion product, recommendations for the use of standard controls such as scanning code repositories for plain text secrets, validating third party software digital signatures prior to installation (noting that in the case of SolarWinds Orion it would appear that the compromised code was in fact legitimately signed) and the use of application analysis tools such as Veracode should certainly be considered.
Use the network and network services as a control point:
While many of the mitigation recommendations are focused on limiting lateral movement through improved identity and access management controls, many clients are now doubling down on their “zero-trust” efforts, leveraging logical network controls and micro segmentation solutions such as Unisys Stealth to restrict system to system connectivity to only those “transactions” required to achieve a specific business task. Microsoft RAMP is often the entry point here as even in its predecessor ESAE/PAWS, network segmentation was a key element of control. While not specifically segmentation related, DNS tunneling was also leveraged as a part of the SolarWinds event, and the implementation of capabilities such as DNS filtering or properly tuned network IPS signatures can help protect against this technique.
Cyber security breaches of all types will continue to occur and evolve, especially as more people work remotely and the attack surface expands. Companies need to take continuous steps forward to securing their changing environments.
Some of the key data sources that highlight the items discussed can be found below.
The first is the initial release from the US Cybersecurity & Infrastructure Security Agency.
Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA
Building from that release is an evolving set of guidance focused on post-compromise threat activity in Microsoft cloud environments. This started with the release of the Sparrow tool (essentially PowerShell that searched for specific log patterns) but has been enhanced to include additional tools such as the open-source Hark and CrowdStrike Azure Reporting Tool. For both Sparrow and Hawk, the PowerShell code can easily be analyzed and the search queries/parameters incorporated into a standard SIEM tool for continuous monitoring.
Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments | CISA
Mandiant has released an excellent document detailing a number of remediation and hardening strategies again focused on the Microsoft cloud. There is a detailed section on Active Directory Federation Services (ADFS) that offers guidance that could apply to any federation pattern, well beyond the specific Microsoft cloud components.
Microsoft is moving away from the ESAE/PAWS model for clients (even as they continue to use it themselves), the best starting point for the updated guidance (Rapid Modernization Plan or RAMP) can be found below.
Securing privileged access overview | Microsoft Docs
The following two links are interesting breakdowns of the use of DNS by SUBURST, the first covering the Stage 1 operations and the second Stage 2. These are both very interesting (and detailed) reads.
SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar | Symantec Blogs (security.com)
Targeting Process for the SolarWinds Backdoor - NETRESEC Blog
Check Point response to SolarWinds supply chain attack
Using CHIRP to Detect Post-Compromise Threat Activity in On-Premises Environments | CISA