The compromise of ubiquitous network management software from SolarWinds announced today is the most recent reminder of how vulnerable existing networks still can be even with layers of security tools and policies in place that have built up over the last several decades. History may show that this was the most extensive and impactful cybersecurity attack ever when the vulnerability allowed complete compromise of the network traffic and hosts for more than 425 of the US Fortune 500, all ten of the top US telecommunications companies, all branches of the military, the top five US accounting companies and hundreds of universities and colleges.
What was compromised?
According to a blog post from Microsoft’s Threat Intelligence Center, “An intrusion through malicious code in the SolarWinds Orion product results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials… An intruder using administrative permissions acquired through an on-premises compromise can gains access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts… (These SAML tokens) can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate.”
The compromise of a trusted network management system, which necessarily needs visibility to virtually all hosts, network devices and traffic, can lead to the compromise of the entire network, all applications and users, while giving unfettered access to the entire organization’s online business to potential attackers. According to SolarWinds Security Advisory, the attackers are “an outside nation state”. In other words, and with targets across the entire federal government and all branches of the military, this is nothing less than full cyber warfare.
The Initial Response
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01 as required steps against this attack. Among other steps, which include forensically imaging system memory and analyzing stored network traffic for indications of compromise, CISA requires:
- Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
- Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
This level of remediation is potentially disastrous to many organizations, who must quickly block all online traffic from any network where any version of this ubiquitous network management software resides. For example, this remediation step could have been the cause for service outages across many Google platforms and YouTube the very same morning.
What can we learn from this attack?
When a trusted piece of the infrastructure becomes compromised, as in this case with code injected into the SolarWinds system, there is virtually no security infrastructure that can detect and remediate the attack on the fly. But we can see that the usual approaches to infrastructure security are not enough, and that updated approaches to secure network segmentation can not only restrict the propagation of attacks that spoof user credentials but can also lead to much more rapid remediation with centralized policy controls.
Organizations need to start thinking about a security methodology that relies less on blocking specific traffic by policy, and actively moving towards a zero trust, positive security model that explicitly states which traffic between users and hosts can be allowed, or whitelisted. They also need to be much more granular in network design, adopting micro-segmentation techniques that can be implemented at scale. Micro-segmentation and zero trust security implementations limit internal damage and compromise when an attacker gains a foothold in the network. The specifically allowed access points and credentials can prevent the lateral spread for the attacker or malicious code. In addition, the most sophisticated next generation network security approaches can render hosts completely invisible on the network to compromised or unauthorized hosts. This is a much more secure scenario that currently where compromised devices can probe other hosts for vulnerabilities and access points.
Reducing Complexity is the Key to Rapid Mitigation
But perhaps the biggest obstacle to responding to an attack such as this SolarWinds vulnerability is the complexity and scale of our existing cybersecurity infrastructure. Layers of existing security policies, distributed to potentially hundreds of devices across a large organization, from different vendors and providing a myriad of security services usually requires weeks to update in the best of times. In the middle of a security breach, when time is of the essence, simplicity, elegance and agility is required. And that requires a new security methodology.
The CISA remediation steps outlined above requires that all access from known-compromised networks and hosts needs to be removed within minutes or hours. Only a centralized, cross-vendor security policy infrastructure with cleanly stated access policies that can be quickly updated and checked can do that. From a central system, access can be pulled from specific compromised points, and perhaps the bulk of legitimate online business can proceed. But that’s only if policies are organized and visibility is clean. No more patchwork security additions over time that leads to security by obfuscation. A clean, clear centralized store of whitelist policies to access otherwise invisible network hosts and assets provides the most advanced and easy-to-manage infrastructure for organizations going forward.
Immediate Action Required
As for an immediate response, organizations should be following the CISA remediation steps outlined above, including removing all SolarWinds software from the network until it can be patched and brought back online. Assume networks and systems that have been managed and monitored by SolarWinds to be completely compromised. Until the SAML tokens can be recreated and reverified, such systems should be offline to other hosts.
It’s quite possible that extremely secure military networks, et al., would not have chosen to deploy the latest releases of network software and become vulnerable to this attack. SolarWinds has stated that the vulnerability was introduced in their supply chain in the March timeframe, or later, so legacy SolarWinds deployments prior to the March release may be less of an immediate concern. However, to the extent that DOD networks, and others are interconnected with other networks that could potentially have been compromised, it appears that such internetwork traffic could be at risk or have been intercepted. General interagency communication should be minimized for the time being until networks can be remediated and confirmed free of the vulnerability. This is also an issue, although potentially less so, for civilian and corporate networks, that have fewer deep ties between hyper-secure systems.