The SolarWinds Senate hearing: 5 key takeaways for security admins

FireEye CEO Kevin Mandia recently testified in front of a United States Senate subcommittee about the SolarWinds attack. Take the time to listen to the presentation, especially Mandia’s chilling description of how the attackers went after FireEye’s Microsoft Windows identity tokens and valid credentials. The only reason they detected the intrusion was because the attackers happened to target a tool that was also being used by a pen-testing firm.

Here’s are what I believe are the key points regarding supply chain attacks that security and IT admins should take away from that hearing.

Potential supply chain attack victims lack access to the right tools

Brad Smith of Microsoft said in his testimony that they saw the attacker’s behavior only when they entered cloud services. The attackers went after on-premises computers, so Microsoft was unable to see the attacks.

This points out a problem with many of Microsoft’s best security tools. While they are available to even on-premises computers, they are gated behind Microsoft’s most expensive E5 license plan. If Microsoft customers had Microsoft Defender Advanced Threat Protection (ATP) enabled, Microsoft would have seen that key data much earlier.

Smith indicated that the need for modern technology was a key mandate that all organizations need to strive for. He implied that going to the cloud makes systems and services more defensible from this sort of attack. I disagree with Smith about moving to the cloud. It is not the only answer, but adding key security cloud services is possible and allows us to be better informed. I am a fan of Microsoft Defender ATP, which keeps forensic evidence on workstations and provides a near real-time review of unusual activities on your workstations and cloud services.

More information sharing needed

Smith pointed out the problem with information sharing and keeping our security information in silos. He said we need to put in place laws to mandate more disclosure and information sharing. He pointed out that sometimes separate departments of the government are unable to share information because of privacy mandates and other reasons.

Authentication systems can be exploited

George Kurtz, president/CEO and co-founder of CrowdStrike, said that the attacker took advantage of systemic weaknesses in the Microsoft authentication architecture. They were able to move laterally within the network as well as between the on-premises and the cloud services by creating false credentials, impersonating legitimate users, and bypassing multi-factor authentication (MFA). The threat actor used unique IP addresses to deploy command-and-control servers. Attackers don’t normally use unique addresses, so it’s easier to make correlations between types of attacks.

The enterprise boundary is no longer at our firewall. Traditional security technologies and legacy authentication techniques are now our biggest weakness. The attackers took advantage of the limitations of the Active Directory federation service. The golden SAML attack allowed them to jump from on-premises systems to cloud systems effectively bypassing MFA. Users and administrators must get used to re-authentication and establish permissions for each device.

Policies and practices regarding threats from supply chain need updating

What this shows is that organizations are vulnerable to supply chain attacks and you need to do more to protect the software installed on your systems. Don’t take vendor and code review for granted. Trust and verify the applications you install on your systems.

Kurtz offered this advice:

• Enhance threat hunting to better understand how attackers enter networks.
• Remember that every second counts in stopping attackers from completing their objectives.
• Review security processes to ensure that machine learning ability is in place to learn from events that occur in the environment.
• Enhance identity authentication as employees move to work from anywhere.

Smaller organizations will be targeted

Attackers often target smaller organizations to infiltrate a larger organization. This is part of the supply chain problem: Attackers know they can go after the low-hanging fruit to enter larger organizations through remote access tools used by consultants or monitoring software like SolarWinds. Attackers are also capable of disabling security tools whether from CrowdStrike, FireEye, or Microsoft.

Next steps

Listen to the presentation. Think of how you currently set up your network and how you could identify if you had been targeted in a supply chain attack. Ask vendors that provide your remote access tools or other key applications how they protect their own coding process and how they review their processes. Ask yourself if you could identify if an attacker used your own credentials or whether you could determine if your defensive tools were disabled on your systems. Would you be alerted if suddenly Sysmon or another event logging tool was disabled? Review how you would have reacted and how you could have identified if you were targeted.