SolarWinds & Related Global Cyber Attacks
The Case for Decentralization & Passwordless Identity
The mega cyberattacks that were first disclosed by FireEye & then subsequently by SolarWinds continue to unfold as we write this blog. We are learning more by every passing day & the full damage from these attacks may take time to be assessed. There are concerns that platforms of other IT vendors were also used to launch these attacks, other than SolarWinds. We can broadly conclude that the attack surface looks much bigger than the connected world was prepared for & the threat of supply chain attacks has constantly been underestimated despite past episodes
While the debate on the attack vectors continues, there is growing evidence that good Identity & Access Management (IAM) would have helped prevented the attacks, at least in minimizing the scale of attacks. The hackers were able to use legit credentials, legit certificates & forge auth tokens to gain unfettered access. The attackers were also able to successfully spoof IP addresses. With the help of legit identity tools, the attackers successfully evaded some of the best detection & AV tools in the industry. The attacks caused the industry to recognize the need to focus more on strong IAM & also adopt zero trust policies. We believe IAM is the best first & last line of defence, which organizations need to focus more on.
We believe there is a need to relook at the IAM practices though in light of the current attacks. We believe there are serious gaps in the current IAM techniques that can eventually lead to the rapid spread of the malware in these attacks.
- Shared credentials like passwords & secret keys were compromised, causing rapid lateral movement of attackers. The following analysis by Volexity highlights that SolarWinds hackers used compromised passwords & then used those credentials to steal secret keys that were used to bypass MFA. https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/
- We have been unequivocal in our assertion that passwords need to be eliminated.Passwords carry so much risk. With passwords, an enterprise needs to be worried not just about its own security, but also whether its supply chain is secure
- The Volexity analysis also indicates that MFA protection may not work if passwords are compromised. The hackers were able to use the stolen secret keys to bypass MFA. A combination of password theft & MFA bypass can lead to total compromise as we have seen in these incidents. The modus operandi also confirms our fears about how secrets are managed currently – secret keys that are vital for many MFA & SSO implementations. There are so many ways implementation of secrets at servers can go wrong. The below analysis by Liam Keegan offers excellent perspective on why getting secret key management is extremely important. https://liamkeegan.medium.com/securing-cisco-duo-secret-keys-is-really-really-important-really-4e624e7811ff
- Why not eliminate the password & secret risks by decentralizing? We have long arguing about going passwordless. True passwordless is all about eliminating shared credentials by decentralizing credential generation, rotation & recovery. Eliminating passwords reduces threat levels in a multiple of ways. Compromised servers do not reveal any credentials which hackers can used to do mass account takeovers.
- It is not just credentials that need to be decentralized, but also secret keys that are used to generate MFA & SSO tokens. The scope for errors in handling these secrets by developers & admins is significant – even one mistake can lead to attacks throughout the supply chain as demonstrated in the current attacks. The following link has good details about NSA & CISA advisories which predominantly focus on identity & token risks. https://krebsonsecurity.com/2020/12/vmware-flaw-a-vector-in-solarwinds-breach/
- At Ensurity, we are fascinated by what decentralization can offer to security, particularly when it comes to identity & secrets. Our software passwordless platform XSense is well complimented by the biometric passwordless solution ThinC-Auth. Salient features of the solutions:
- There are no credentials or secrets, either at the application or at the XSense server that can be stolen to takeover admin or user accounts.
- No credentials or secrets are shared in full between the user app & servers, so there is no transmission security risk
- There is nothing to be phished at the server. All identities are decentralized & managed at the user end. Even in an unlikely case of a user or admin being compromised, only that user is compromised, not others
- Since there are no passwords, password spraying, or password stuffing attacks are not possible.
- Mutual authentication is built-in, hence spoofing attacks are not possible.
- Seamless multi-party authentication reduces risks associated with single admin account takeovers.
- Post-quantum security
- Better compliance with GDPR/CCPA as no user credentials or secrets are stored.
Sample use case: XSense passwordless login to O365 https://youtu.be/S49uvX1PKRg
Security practices have long ignored the power of decentralization. Decentralized identities & data make hackenomics infeasible for hackers. When it comes to minimizing the need to trust needed in vendors (& even internal implementations), we may need to beyond data for decentralization. A couple of additional thoughts here:
- How do we ensure code provenance even when legit signatures were used to sign? Blockchain based code provenance solutions could help supply chain risks meaningfully.
- Where secrets still need to be managed centrally, could we find a way of splitting the secrets such that secrets are not fully centralized? We think a secret management solution that is more decentralized & integrated to identity solution like XSense will minimize the threat levels significantly.
Defensive approaches to security need to evolve rapidly to face the advanced threats. Industry needs a multi-faceted approach to defend & scope for collaboration is immense. At Ensurity, we believe collaboration with clients is very important to get security better. Would like to discuss more about XSense, decentralized security or other topics? We will be keen to listen to you at firstname.lastname@example.org.