Why visibility into Crypto Infrastructure could have mitigated the SolarWinds based compromises

Co-authored by Daniel Thanos, President and Consulting CISO at PSYI Group & Board Advisor to InfoSec Global

We want to acknowledge and thank FireEye for how it has handled its breach and quickly shared all its threat intel and know how to help the community address this historically wide impacting breach. We also want to thank the many tireless security professionals that right now are diligently working to keep the systems we all depend on safe while further sharing what they discover along the way for everyone’s benefit. This posting is our small part in helping in the broader conversations and actions that need to happen as we all strive to increase our cyber resilience.

The recent SolarWinds compromises highlight the importance of visibility into crypto infrastructure. These classes of breaches are not new, while this one will be one of the largest impacting ones recorded in recent history. One key element of the attacks appears to be insufficiently managed and monitored crypto operations that enable the creation of malicious credentials and an open door for attackers that are not inspected by virtue of the fact of being on the “trusted list”. The lack of crypto infrastructure visibility and control creates serious cyber risks in vendor and enterprise organizations that substantially increases burdens on system defenders. That is why it is so used and loved by various threat actors in a myriad of attacks that have targeted digital supply chains and have provided back doors in enterprise systems. What happened with these attacks, how can we address them, and what are the best solutions to mitigate these kinds of attacks in the future?

What happened with the attacks?

The SolarWinds attacks were multi-stage in nature and appear to have leveraged signing infrastructure and keys to create the ultimate back door in enterprises and the exploited vendor. This resulted from a lack of crypto configuration and lifecycle management that enabled privilege escalation and the ability to move throughout victim networks uninhibited with no resistance until threat actor objectives were met and data was exfiltrated. The proper use of roots of trust and code signing with authenticated build processes with supporting security monitoring would likely have disrupted this attack against the SolarWinds vendor. The U.S. Department of Homeland Security (DHS) has provided guidance that treats all systems managed by SolarWinds as compromised.

However, getting through all these steps takes a large amount of effort for enterprises and government organizations to follow—a significant drain on already limited security incident response resources that still have other threats to defend against and can rarely afford to handle such large impact events. Thus, keeping US government and business running will likely not permit a very deep implementation of these guidelines for many organizations, the activities involved will have to be time boxed.  Even in the absence of another compromising attack of this scope, it could be years before the US government and many enterprises have fully resolved the fallout from this compromise. So the lesson here is preventive defense for enterprise crypto infrastructure and trusted/controlled build and deployment processes for software vendors. These are the single most important investments that can be made to block these high impact attacks to our digital supply chains.

It all starts with crypto visibility

It is clear that the impact of the SolarWinds attacks were detrimental to major US government organizations. This malicious use of crypto is not unusual and has become a common method of attack for adversaries (e.g. various APT type attacks, supply chain attacks, and ransomware attacks). Yet, with visibility into an organization’s crypto, these attacks can be detected earlier, responded to, and contained before the damage can be done. Knowing what certificates, keys, and crypto providers exist at all points in an enterprise as well as controlling and monitoring their use will now be more important than ever.

A lack of visibility and automation of crypto infrastructure is a serious issue and severely impacts an organization’s cyber defense and levels of trust it can achieve with its customers and partners. Securely managing this process is called cryptographic lifecycle management—starting with understanding what is in your core systems, followed by detecting hidden vulnerabilities, and ultimately protecting your organization from future threats.

 Enterprises and vendors: how can you protect your organization and mitigate future threats?

Crypto control and visibility are now a first order use case for threat protection and fundamental in any security monitoring use cases.Although enterprises and vendors have different focal points, the takeaways are the same.

Enterprises and vendors should start with hardening and monitoring their crypto systems with a focus on signing operations, certificates, key access, and algorithm usage. Typically, the majority of enterprises do not include crypto as a part of their cyber resilience.

Vendors should implement code signing, secure and trusted software deployment, and establish roots of trust. Vendors must implement strong and authenticated build processes that are centrally controlled, automated (with no manual backdoors), and monitored for insider threats and anomalous behaviours.

Here are some immediate actions to protect your organization from future threats:

1) Deploy the necessary visibility tools to scan/monitor network servers and hosts to detect malicious crypto, crypto usage, poorly configured crypto infrastructure, keys/certificates, and associated operations

2) Monitor and control certificate issuance and signing

3) Automate and manage the processes necessary to accomplish the above with cryptographic lifecycle management solutions

Cryptographic lifecycle management must provide visibility into your infrastructure.Once you know where and how cryptography is deployed, used, and configured - you proactively take action against these threats. InfoSec Global is ready to answer any questions you might have as you start your cryptographic lifecycle management journey. Contact us at info@infosecglobal.com.  

References:

https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear_us_government/

Vulnerability Found: https://hansesecure.de/2020/06/vulnerability-in-monitoring-software/?lang=en

DHS Guidance to US Agencies 14/12/2020: https://cyber.dhs.gov/ed/21-01

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

MS Kerberoasting Mitigation: https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448

Dr. Vladimir Soukharev, Principal Cryptographic Technologist at InfoSec Global
December 17, 2020