Executive summary

Last week the Cybersecurity Infrastructure and Security Agency (CISA), a division of the Department of Homeland Security, advised that there was an advanced persistent threat compromise of government agencies, critical infrastructure, and private sector organizations.

“This threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.” – CISA

The attack successfully took advantage of weaknesses in traditional security models to compromise a large number of organizations. The vectors used in this attack are mitigated in Zero Trust Network Access (ZTNA), which uses a modern cybersecurity architecture.

Read on to learn:

  • What happened in the attack
  • How to protect your business
  • Why this is important
  • What the next steps are

What happened in the attack

The SolarWinds Hack was a two phase attack which allowed the attacker to forge security certificates, gaining access to applications that trusted that certificate, from there the attacker was then able to move laterally to attack other systems. Below is a brief summary of how the hack was carried out, more complete summaries of the attack are available online.

Phase 1

The attack, which is estimated to have begun in March 2020, inserted code into the development software for Orion, SolarWind’s network management tool. The malicious code was then pushed to production machines around the globe. This is known as a supply-chain attack; by targeting suppliers upstream it is possible to introduce vulnerabilities into their service which can then be readily exploited once distributed.

Phase 2

The vulnerability introduced in the first phase allowed attackers to access on-premise components of the Orion tool, although there was little they could do with this tool it did allow them to steal SAML-tokens from the organization using them. These tokens could then be used to forge security certificates which allowed the attacker to gain access to the organization’s network. From here the attacker was then able to move laterally, compromising other systems connected to the network, to complete the attack.

How to protect your business – A Zero Trust approach is required

While organizations could have done little to prevent the first phase of the SolarWinds Hack, as the infrastructure that was attacked was outside their control, the second phase could have been mitigated. By moving away from the traditional perimeter-based security model to a ZTNA architecture organizations can prevent the attacker from using the methods in the second phase of the SolarWinds Hack.

The ZTNA architecture is different from traditional technologies in two critical ways, which will mitigate future threats of this kind:

  • Strong user authentication and device verification – Certificates are traditionally assigned to indicate who can be trusted and who can’t, however as shown by this attack they can be easily forged. Zero Trust requires every user and device to prove who they are and that they are secure before providing access. By requiring multiple factors to be verified and continuously reviewing them, ZTNA ensures that only trusted individuals gain access.
  • Network micro-segmentation – Once access has been granted ZTNA applies strict policies on what that individual can access. Whether they are human or machine, their permissions are restricted to the bare minimum via a practice known as least-privilege. Traditional technologies give users unfettered access to everything on the network, enabling the lateral movement seen in the SolarWinds hack. Micro-segmentation logically separates each application allowing administrators to be extremely granular with how assign permissions.

Why this is important

The attack showed such scale and sophistication that it has triggered many leading technology companies to issue guidance and security recommendations. The CISA has indicated that a high degree of effort will be required to remove the threat, which will be very costly.

“Removing this threat actor from compromised environments will be highly complex and challenging for organizations.” – CISA

This means that this form of attack will have a bigger financial impact on businesses than traditional attacks which can already result in lost earnings and regulatory fines. Additionally, with over 18,000 organizations impacted, the reward from executing this type of attack appears to be worth the effort and patience, potentially incentivising future attackers. Organizations should use this event as a catalyst to implement ZTNA to protect themselves.

What this means for you

Technology teams should review the impact of the hack on their business directly and through the services they consume from third-parties. As it is highly likely that we will see variations of the attack, as it is repurposed and modified by the original attacker and other bad actors, so action should be taken to mitigate similar attacks.

Action list:

  • Review SolarWind’s guidance and identify any impact on your infrastructure
  • Remediate any potential vulnerabilities due to the attack as necessary
  • Conduct a review of authentication and lateral movement practices
  • Create and begin to implement a ZTNA program to prevent similar threats

To learn more about Zero Trust Network Access and how you can begin implementing it within your business today please contact our cybersecurity experts.