Answers to the SolarWinds Hack Date Back a Decade
So here’s the story. A nation-state attacks a technology company, leveraging a backdoor in a piece of software to infect computers. Then using the infected machines as jumping-off points to move laterally across what was previously thought to be a secure network, the threat actors take aim at targets of interest to the U.S. government. You may think I am talking about the SolarWinds hack. In fact, I am talking about the 2009 attacks on Google and at least 20 other technology companies commonly known as Operation Aurora.
Operation Aurora exposed what many of us already knew – that securing the perimeter of a network through firewalls left the heart of the network vulnerable. A single compromised node on a secure network can put all protected resources at risk, especially when faced with the reality that it’s a challenge to secure every endpoint. Google published an approach that would address this, known as BeyondCorp. It moved the perimeter from the edge of the network to each application and treated every application as unprotected, as if it were connected directly to the internet and needed to be secured with authentication and authorization. BeyondCorp assumes that no user or device can be trusted until it has been evaluated. This approach is better known as Zero Trust, or what Gartner calls CARTA (Continuous Adaptive Risk and Trust Assessment).
There is so much we still don’t know about this latest attack and the damage it has done, but what we do know is chilling. Nation-state hackers, believed by experts to be from Russia, used SolarWinds’ build system to infiltrate their digital supply chain, which was used to deliver software updates. They then distributed a “security update'' that included a backdoor. A follow-on “security update” leveraged the backdoor to add a malicious payload to a select group of targets. Once those devices were compromised, they were used to deliver additional malware and move laterally across the network to attack other systems.
It’s easy to hear the echoes of these two attacks over a decade apart. It shows us that history repeats itself and will continue to if we don’t break the cycle. Cybercriminals exposed more than 5 billion records in 2019, costing U.S. organizations over $1.2 trillion. It also shows us that many of the answers to this challenge exist today.
With more than 20 years of industry experience, I look at most things through an identity lens. When you spend years using hammers, a lot of things look like nails. However, the reality is that some problems are uniquely nail shaped. That is why I see a layered, identity-centric approach that builds on the principles of Zero Trust and BeyondCorp as our best answer to prevent malicious actors from obtaining the initial foothold within an environment as well as reducing the possibility of further lateral attacks. With this model, you can:
- Minimize attack surface by leveraging modern Privileged Access Management (PAM) and identity governance and administration (IGA) techniques. This means enlisting artificial intelligence (AI) and machine learning (ML) to understand and manage appropriate levels of access. By limiting users’ access to the bare minimum needed to do their jobs, risk can be dramatically reduced. According to our 2020 ForgeRock Consumer Identity Breach Report, unauthorized access was the most common attack vector used in 2019, responsible for 40% of all breaches.
- Monitor user and device behavior to create a baseline for “normal” behavior so that anomalous and risky behaviors can be flagged and analyzed quickly and at scale. This is often referred to as user and entity behavioral analysis (UEBA) and is another opportunity to enlist the help of AI and ML. These behavioral changes may be subtle – for instance accessing systems that aren’t typically accessed, logging in at times that don’t make sense, or moving more data than usual. They can also be distinctive at the technology layer by requiring automation and AI to define, and make visible such as logging in from multiple IP's with disparate geographical locations. If an organization understands how a user or device typically behaves, they can quickly address a compromised system before the threat can move laterally across a secure network, dramatically reducing the risk of this type of attack.
- It may be cliché to say that identity is the new perimeter, but if the perimeter moves to each application, the existence of a firewall becomes moot. Scalable technology that can continually validate device posture, user authorization, and authentication is a game changer to preventing a compromised device or user from doing damage via lateral attack.
- A compromised system is a perfect place to steal usernames and passwords – those credentials can be used to access and attack other systems. This is why passwordless and multi-factor authentication (MFA) can eliminate a massive attack vector leveraged in lateral attacks.
There is no silver bullet to solving these problems, and hackers will continue to get more sophisticated. However, the recommendation represents concrete steps that CISOs and other security executives can take to mitigate risks. When we encounter a problem, it is human nature to try to find a new tool to deal with it. But sometimes, the tool has been there all along (or for about ten years).
For more information about how to protect your organization against lateral attacks, visit our Zero Trust solutions page.
ForgeRock Identity Cloud and ForgeRock’s corporate infrastructure was not impacted by the SolarWinds breach. ForgeRock has conducted a full review of its environment and has confirmed that neither the ORION product nor the modules that make up the ORION product exist within our corporate infrastructure. In addition, we are conducting reviews of all critical suppliers to establish any potential risk to operations via our supply chain.