A broad swath of U.S. government agencies and corporations was compromised in what is now considered one of the most sophisticated cyberattacks in history. The exploit, known as Sunburst, was exposed in December 2020 when cybersecurity experts realized that the IT management software company, SolarWinds, had been hacked.
Unlike other hacks where customer data had been lost, cybercriminals used their access to inject malware into SolarWinds software, which was sent to potentially thousands of customers via a software update.
This was a really big deal because SolarWinds’ Orion software lies at the heart of the network infrastructure of many organizations. The software is used to monitor and in some cases control network switches, routers, firewalls, and servers. This makes the administrators of the Orion software some of the most privileged users in an organization and it appears that any admin who used this server would have had his or her passwords compromised.
Many IT departments have been trying to dig out of this breach, and many business leaders are asking how this could have happened and whether it could have been prevented.
The volume and scope of the incident—and particularly the exposure of high-profile targets that were known for having great security—seemingly send a message that nothing could have been done to prevent it from being successful.
I would argue that there is more that could have been done. While there isn’t a technology by itself that can stop these kinds of attacks, what we need is more adoption of Zero Trust when it comes to technology.
The Three Tenets of Zero Trust
Could Zero Trust in and of itself prevented the attack from succeeding? Probably not. However, I am firmly convinced that broader deployment of Zero Trust could have mitigated the impact of the attack by potentially calling attention to it sooner and by limiting its spread.
The basic precept of Zero Trust is “never trust, always verify.” In practice that comes down to three main tenets:
- Secure Access, i.e., nothing and no one gets access to the network unless and until it is authenticated, authorized and verified.
- Least Privilege, i.e., granting least-privileged access based on who is requesting access, the context of the request and the risk of the access environment.
- Log Everything, i.e., all traffic must be logged and inspected at various inspection points that identify and permit traffic based on established rules. This maintains least-privileged access.
The first tenet of Zero Trust is where most of the concern around Sunburst centers. For any software you use, you expect that the software company will have gone through code reviews before putting into production. Your organization may have even done its own testing of the software before deploying it. But in the case of Sunburst, the malware waited two full weeks before executing, making it very difficult to detect.
One of the first things that happened after the malicious software was downloaded was that the malware would call out to their command-and-control servers. A command-and-control server is how the bad guys learn that their hack was successful and allows them to tell their malware what to do.
The fact that this attack method took place and was widely successful from the attackers’ perspective, highlights several areas where a Zero Trust architecture could have mitigated risk and why it must be part of every organization’s cybersecurity strategy going forward. Zero Trust isn’t any one technology. It’s more like a philosophy.
The first question a Zero Trust practitioner would have asked is whether your SolarWinds server needed any access to the internet. Indeed, many of a company’s critical applications don’t need direct internet access.
This is the second tenet of Zero Trust – least privilege – in action. Organizations should look at least privilege for job roles and functions as well as in their networks.
Sunburst also allowed cybercriminals to steal the passwords of administrators that used the server— because those passwords would have been stored on the server. In some cases, a Windows domain administrator account may have been used to access the server, and if this was the case, the entire Windows domain could have been compromised. Domain admin accounts should be strictly limited. But, if an organization uses multi-factor authentication in a Zero Trust architecture, just stealing the passwords would not have been a significant issue.
If your company does use SolarWinds software, the first questions you would have asked were whether you had been infected and how extensive the breach might have been.
This is where the third tenet of Zero Trust—log everything—comes into play.
To answer questions related to the cause and extent of potential damage—whether your internal team did an investigation or if you brought in forensic consultants to assist—the investigators would have needed logs to make a clear and accurate determination.
The cybercriminals began sending the malware in March of 2020 and weren’t discovered until December 2020. This means you would have needed network, DNS, account logins, and server logs for at least the prior year. With a Zero Trust architecture, all of that information would have been readily available.
A Game Changer?
Some people have asked, is the SolarWinds breach a game changer? It certainly was the most significant breach in history, because of the sheer breadth and scope. But the techniques the attackers used were fairly commonplace. The defenses that an organization needed to defend itself already exist and should now be considered table stakes. If Sunburst is a game changer, it will be because it meant that 2021 was the year that we all adopted Zero Trust.
George Finney is the Chief Security Officer for Southern Methodist University.