The adversary behind the SolarWinds breach went to extraordinary lengths to remain undetected in affected networks, likely spending millions of dollars and thousands of hours to pull off a supply-chain compromise this sophisticated.
While the impact of the SolarWinds incident won’t be easy for other malicious nation-state actors to replicate, given the resources that went into it, Jay Gazlay, a technical strategist at the Cybersecurity and Infrastructure Security Agency, said the adversary’s exploitation of verified credentials should be cause for alarm and give rise to tighter identity controls in the federal government.
“Our takeaway from this at CISA’s space is that identity is everything now. We can talk about our network defenses, we can talk about the importance of firewalls and network segmentation, but really, identity has become the boundary, and we need to start readdressing our infrastructures in that manner,” Gazlay told members of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board.
Gazlay said few, if any, of the SolarWinds targets were in a position to detect a compromise this sophisticated. But those who had the best shot of spotting anomalous activity were agencies with behavior analysis techniques built into their identity management that could flag “impossible logins” — a scenario where the same set of credentials is used to login at multiple places across the globe.
“Not everybody is set up to see that, and if we don’t get set up to do that, we’re not going to notice these user impersonation attacks that become de rigueur for our adversaries,” he said at last week’s meeting.
It’s hardly the first time the federal government has had to rethink the strategy behind its cyber defenses in recent years. In the aftermath of the 2015 Office of Personnel Management breach, Gazlay said agencies pivoted to protecting the “crown jewels” within their network infrastructure.
But over the same period of time, adversaries have also switched tactics.
“Instead of going after these data holdings, they’re going after the identities that give them access to all the data holdings — much broader campaigns. That makes trust store and identity management compromises much more impactful, and frankly, a much higher target. As we move into a cloud infrastructure where all that matters is the expectation that you are who you say you are, to get access to cloud infrastructures, this becomes even more pernicious,” he said.
Since the 2015 OPM breach, agencies have also moved more of their assets to hosted cloud infrastructure, which raises the stakes to strengthen identity verification in government.
“If we don’t take real care with how our identity structures are monitored and managed, we’re not going to be able to go up against sophisticated threat actors,” Gazlay said.
To keep up with the scope of cyber threats, such as an increase in “password spray” attacks, Gazlay said agencies and the private-sector owners of national critical infrastructure that CISA also protects need to automate aspects of their network defenses.
“Asking people to sort through individual [indicators of compromise] is a really hard ask. Providing somebody with a tool where they can one-click it is probably more reasonable, particularly as we look to protect critical infrastructure, which is definitely not sophisticated in the same way that some of the large federal enterprises are,” Gazlay said.
To guard against these threats, Gazlay said vendors should more widely adopt programs like NIST’s National Checklist Repository, which contains security configuration information for specific IT products.
“If I want to know how to secure a product, I call the product security team. The answers you get are crisper and cleaner than any external party. So that’s why we would hope that in the future, we can get to a point where the vendors are releasing some configuration guidance in a normalized format that is machine-readable and answerable so that people can make educated risk decisions at scale across distributed and federated infrastructures,” Gazlay said.