The details of the SolarWinds Orion breach continue to unfold, with the impact of this supply chain attack rippling throughout the tech community and across the more than 18,000 public and private sector organizations directly affected worldwide. It could be several months until the extent of the damage is fully understood. But today, we can examine what has been reported about the Tactics, Techniques and Procedures (TTPs) used, map out common attack patterns and identify steps organizations can take to mitigate associated risks and lessen further damage.
The Privileged Pathway Most Traveled
The SolarWinds Orion compromise and subsequent attack of customers using this software is unprecedented in its sophistication, scope and scale. However, what it does have in common with other attacks is that the compromise of identities and privileged access played a critical role.
Today’s cyber adversaries have the advanced tools and resources to infiltrate even the most sophisticated IT environments, whether through phishing attacks, software vulnerabilities, supply chain compromise or other means. Once they establish a foothold, they often follow these well-established steps in the attack chain:
- Attempt to steal and abuse the identities and credentials of employees or authorized third parties.
- Use these legitimate credentials to move laterally and vertically through the network, looking for high-value targets or to establish persistence. Because attackers appear to be “authorized” users, organizations have a hard time detecting their presence.
- Target privileged account credentials that provide special access to systems or abilities that reach beyond those of a typical user – and work to escalate these privileges until they reach the confidential information they intend to steal or services they wish to disrupt.
The SolarWinds breach and the resulting attacks exhibit all three of these tried-and-true tactics. With dramatic cloud migrations underway, and the adoption of transformative digital technologies, the enterprise attack surface is expanding with greater privileged access present across these decentralized environments. Attackers know this, which is why securing privileged access matters more today than ever before.
This attack underscores the urgency for every organization – no matter industry or size – to adopt an “assume breach” mindset. By approaching cybersecurity as if an attacker is already inside their infrastructure, organizations can narrow their focus and take the necessary steps to protect their most sensitive data and applications to prevent data theft or business disruption.
Protecting Your Environment from Advanced Attacks
While there is no one vendor or tool that can completely prevent such breaches from happening, there are immediate steps that organizations can take to help minimize their exposure to this SolarWinds breach, including:
- Deploy a Privileged Access Management (PAM) solution or validate existing PAM deployments
- Rotate credentials on a regular cadence
- Restrict access to Tier0 assets from a specific, hardened control point
- Isolate sessions when privileged credentials are used
- Detect backdoor account creation
- Deploy “least privilege” measures to endpoints and workstations (including those used to administer the PAM solution)
- Monitor for managed credential use outside the PAM solution
- Establish normal behavior patterns of existing users and elevate to stronger authentication when anomalies are detected
- Enable risk aware, adaptive Multi-Factor Authentication (MFA) whenever possible
How CyberArk Can Help
As the leader in Privileged Access Management (PAM), CyberArk is here to help organizations that have been affected by the SolarWinds attack. We’ve activated our community of CyberArk experts and professional services team to provide a Privileged Access Management (PAM) Rapid Risk Assessment and Remediation offer.
This offer starts with a free privileged access assessment (including recommendations) at no cost to customers who were running the compromised Orion software in their environment. Should additional steps be needed, CyberArk and our certified partners can assist customers in prioritizing PAM controls such as credential management, multi-factor authentication, session isolation and least privilege on endpoints and servers for rapid risk reduction. Such measures will be based on findings from the customer’s incident response team and in alignment with the CyberArk Blueprint for PAM Success.
CyberArk stands by the organizations that have been impacted by the SolarWinds attack and we remain steadfast in our mission and commitment to help organizations secure their most valuable assets and stay one step ahead of attackers.