Next week marks the one-year anniversary of the first disclosure of the SolarWinds hack. On December 13, 2020, FireEye first revealed SUNBURST, a “global intrusion campaign” that ultimately affected more than 18,000 organizations, including the U.S. Departments Commerce, Homeland Security and Treasury, as well as Microsoft, Deloitte and many other private companies. Hackers may have had access for up to 14 months.
The SolarWinds breach resulted in major policy changes and likely informed President Biden’s executive order for all federal information systems to improve their cybersecurity.
But a year on, Gartner Vice President for security risk and privacy Peter Firstbrook says that most companies haven’t grasped one of the main takeaways from the attack: “identity infrastructure itself is a prime target for hackers,” per VentureBeat’s Kyle Alspach.
Firstbrook reviewed those lessons at Gartner’s Security & Risk Management Summit last month, noting that “the identity security implications of the attack should be top of mind for businesses.”
After nearly a year since the SUNBURST news first broke, now is a good time to revisit some of the major lessons we’ve learned since the SolarWinds breach—and why leaders should prioritize identity to prevent something similar from occurring again.
SolarWinds Hackers Targeted Identity
In recapping the SolarWinds campaign, Firstbrook said that the attackers were “primarily focused on attacking the identity infrastructure.”
Addressing business leaders, Firstbrook said: “You’ve spent a lot of money on identity, but it’s mostly how to let the good guys in. You’ve really got to spend some money on understanding when that identity infrastructure is compromised, and maintaining that infrastructure.”
SolarWinds’ identity and access management (IAM) systems were a “rich target opportunity for attackers,” Firstbrook said. The hackers evaded multi-factor authentication by stealing an outdated web cookie; stole passwords using kerberoasting; used SAML certificates to “enable identity authentication by cloud services;” and created new accounts on the Active Directory.
The attackers prioritized identity because it gave them everything they needed: access, the ability to evade authentication and the ability to move beyond their initial breach. “Identities are the connective tissue that attackers are using to move laterally and to jump from one domain to the another,” Firstbrook said.
Identity is the New Perimeter
Supply chain attacks like the SolarWinds breach “manipulate products or product delivery mechanisms” to infect targets downstream. As a more indirect form of attack, they use unwitting accomplices—ultimately making them harder to detect.
When asked how to prevent these attacks from occurring, Firstbrook replied that “the reality is, you can’t.”
Alspach details Firstbrook’s cynicism, noting that “digital identity management is notoriously difficult for enterprises, with many suffering from identity sprawl—including human, machine, and application identities (such as in robotic process automation).”
The problem extends to a business’ vendors: today, even medium-sized businesses deploy hundreds of SaaS apps.
Rather than try to prevent supply chain attacks (or any other specific exploit), Firstbrook advised companies to prepare for threats by shifting their focus. “You want to monitor your identity infrastructure for known attack techniques—and start to think more about your identity infrastructure as being your perimeter.”
Firstbrook is spot on. Today, businesses must accommodate countless vendors, employees working from home, external users and other third parties accessing their ecosystem. With users and use cases expanding exponentially, identity is the one thing that organizations should be able to control in all instances. Whether it’s ransomware, supply chain attacks or the next fad in cybercrime, identity has become the new perimeter.
Best practices for post-SolarWinds identity security:
- Build toward zero trust: Zero trust is a new way of thinking about cybersecurity that eliminates any implicit trust. It treats every user, device, request and application as a possible threat and constantly verifies every entitlement for access and permissions. It’s not a product or a vendor, but a way of thinking about your cybersecurity stance—and the only way to begin building toward zero trust is to begin with identity. Businesses have to start by knowing who their users are, how they’ll authenticate them and what they need access to. Having that foundation allows businesses to create identity-first security.
- Authentication from every platform, to every platform: At this point, multi-factor authentication (MFA) should be a requirement for every organization. The absence of MFA was a major component in the Colonial Pipeline ransomware attack and is a key portion of President Biden’s cybersecurity order. But MFA needs to work however your users do—from Windows and macOS, to FIDO keys and one-time passcodes—and even when your users are offline.
- All passwords are flawed: Some of the earliest reporting on the SolarWinds breach focused on a specific password: ‘solarwinds123’. Lawmakers even castigated SolarWinds for the simple credential; later, it was revealed that the password was for an FTP site and had nothing to do with the breach. But the focus on ‘solarwinds123’ misses the broader point, which is that all passwords are too easy for cybercriminals to crack and too hard for users to remember. They’re insecure, expensive and create friction for legitimate users. For businesses, the solution shouldn’t be instituting more complex passwords. Instead, businesses should eliminate passwords altogether and create password-free environments in which users never have to think about, enter or manage passwords.
- Know who has access to what: If authentication decides who gets access inside a network, then identity governance and administration (IGA) controls what a user can do with that access: IGA allows businesses to set access entitlements to the right resources and for the right resources. It’s a way to prevent users—or bad actors—from moving laterally or beyond a pre-defined role (SolarWinds first blamed an intern on ‘solarwinds123’—an identity governance program would have revealed what that intern could have accessed and what they could ultimately have done with that access). The best solutions will control for “identity sprawl” by automating access certifications and prioritize anomalies and policy violations.
A year later, businesses are still trying to understand “one of the biggest cybersecurity breaches of the 21st century.” That’s in large part because many of the trends that initially contributed to the SolarWinds breach—including identity sprawl, a growing reliance on cloud resources, permanent remote and hybrid configurations and increasing interdependence between users, resources and devices—have only accelerated since December 13, 2020.
Where do we go from here? The only way forward is to recognize (or admit) how complex our operating environments have become and prioritize defending the attributes that recur across each of them. We have to make identity our new perimeter—and put identity first.