High lesson from SolarWinds assault: Rethink id safety


Hear from CIOs, CTOs, and different C-level and senior execs on information and AI methods on the Way forward for Work Summit this January 12, 2022. Be taught extra

Among the many many classes from the unprecedented SolarWinds cyber assault, there’s one that almost all firms nonetheless haven’t fairly grasped: Id infrastructure itself is a primary goal for hackers.

That’s in accordance with Gartner’s Peter Firstbrook, who shared his view on the most important classes realized concerning the SolarWinds Orion breach on the analysis agency’s Safety & Danger Administration Summit — Americas digital convention this week.

The SolarWinds assault—which is nearing the one-year anniversary of its disclosure—has served as a wakeup name for the trade because of its scope, sophistication, and technique of supply. The attackers compromised the software program provide chain by inserting malicious code into the SolarWinds Orion community monitoring utility, which was then distributed to as an replace to an estimated 18,000 prospects.

The breach went lengthy undetected. The attackers, who’ve been linked to Russian intelligence by U.S. authorities, are believed to have had entry for 9 months to “a number of the most subtle networks on the earth,” together with cybersecurity agency FireEye, Microsoft, and the U.S. Treasury Division, mentioned Firstbrook, a analysis vice chairman and analyst at Gartner. Different impacted federal businesses included the Departments of Protection, State, Commerce, and Homeland Safety.

Firstbrook spoke concerning the SolarWinds assault, first disclosed on Dec. 13, 2020, by FireEye, throughout two talks on the Gartner summit this week. The id safety implications of the assault needs to be prime of thoughts for companies, he mentioned in the course of the periods, which included a Q&A session with reporters.

Deal with id

When requested by VentureBeat about his largest takeaway from the SolarWinds assault, Firstbrook mentioned the incident demonstrated that “the id infrastructure is a goal.”

“Folks want to acknowledge that, they usually don’t,” he mentioned. “That’s my largest message to individuals: You’ve spent some huge cash on id, however it’s largely easy methods to let the nice guys in. You’ve actually acquired to spend some cash on understanding when that id infrastructure is compromised, and sustaining that infrastructure.”

Firstbrook pointed to 1 instance the place the SolarWinds hackers had been in a position to bypass multi-factor authentication (MFA), which is usually cited as one of many most-reliable methods to forestall an account takeover. The hackers did so by stealing an internet cookie, he mentioned. This was attainable as a result of out-of-date expertise was getting used and categorised as MFA, in accordance with Firstbrook.

“You’ve acquired to keep up that [identity] infrastructure. You’ve acquired to know when it’s been compromised, and when anyone has already acquired your credentials, or is stealing your tokens and presenting them as actual,” he mentioned.

Digital id administration is notoriously troublesome for enterprises, with many affected by id sprawl—together with human, machine, and utility identities (equivalent to in robotic course of automation). A current examine commissioned by id safety vendor One Id revealed that just about all organizations—95%—report challenges in digital id administration.

The SolarWinds attackers took benefit of this vulnerability round id administration. Throughout a session with the total Gartner convention on Thursday, Firstbrook mentioned that the attackers had been actually “primarily centered on attacking the id infrastructure” in the course of the SolarWinds marketing campaign.

Different strategies that had been deployed by the attackers included theft of passwords that enabled them to raise their privileges (generally known as kerberoasting); theft of SAML certificates to allow id authentication by cloud providers; and creation of recent accounts on the Energetic Listing server, in accordance with Firstbrook.

Shifting laterally

Thanks to those successes, the hackers had been at one level in a position to make use of their presence within the Energetic Listing atmosphere to leap from the on-premises atmosphere the place the SolarWinds server was put in and into the Microsoft Azure cloud, he mentioned.

“Identities are the connective tissue that attackers are utilizing to maneuver laterally and to leap from one area to a different area,” Firstbrook mentioned.

Id and entry administration techniques are “clearly a wealthy goal alternative for attackers,” he mentioned.

Microsoft not too long ago revealed particulars on one other assault that’s believed to have stemmed from the identical Russia-linked assault group, Nobelium, which concerned an implant for Energetic Listing servers, Firstbrook mentioned.

“They had been utilizing that implant to infiltrate the Energetic Listing atmosphere— to create new accounts, to steal tokens, and to have the ability to transfer laterally with impunity—as a result of they had been an authenticated consumer throughout the atmosphere,” he mentioned.

Tom Burt, a company vice chairman at Microsoft, mentioned in a late October weblog put up {that a} “wave of Nobelium actions this summer time” included assaults on 609 prospects. There have been practically 23,000 assaults on these prospects between July 1 and Oct. 19, “with a hit fee within the low single digits,” Burt mentioned within the put up.

Monitoring id infrastructure

A typical query within the wake of the SolarWinds breach, Firstbrook mentioned, is how do you forestall a provide chain assault from impacting your organization?

“The fact is, you may’t,” he mentioned.

Whereas firms ought to carry out their due diligence about what software program to make use of, after all, the possibilities of recognizing a malicious implant in one other vendor’s software program is “extraordinarily low,” Firstbrook mentioned.

What firms can do is be ready to reply within the occasion that that happens-and a central a part of that’s intently monitoring id infrastructure, he mentioned.

“You wish to monitor your id infrastructure for recognized assault strategies—and begin to suppose extra about your id infrastructure as being your perimeter,” Firstbrook mentioned.


VentureBeat’s mission is to be a digital city sq. for technical decision-makers to achieve information about transformative expertise and transact.

Our web site delivers important info on information applied sciences and methods to information you as you lead your organizations. We invite you to turn out to be a member of our neighborhood, to entry:

  • up-to-date info on the topics of curiosity to you
  • our newsletters
  • gated thought-leader content material and discounted entry to our prized occasions, equivalent to Rework 2021: Be taught Extra
  • networking options, and extra

Turn into a member