The world first learned of the SolarWinds supply chain attack in December 2020. By April 2021, U.S. intelligence agencies attributed the attack to an arm of Russian state intelligence known as SVR. The same agencies issued a joint advisory with NCSC (UK National Cyber Security Centre) citing a broader campaign by SVR actors to obtain credentials through vulnerabilities not involving SolarWinds products.
This new advisory makes clear that SolarWinds was just one part of a broader campaign, and environments free of SolarWinds are not out of the woods as it relates to this attack. What’s more, we should expect to learn more about new initial attack vectors as the investigation unfolds.
For security organizations and incident response teams, this event has revealed an urgent need for smarter sensors—ones capable of detecting novel attacks sooner—and has renewed attention on next-generation, cyber-resilient capabilities with digital identity as a key enabler.
New types of attack now require new types of sensors
There is growing recognition that new types of sensors are needed—sensors that do not rely on event-specific indicators of compromise (IOCs) like virus signatures, file hashes, IP addresses and domain names. As trailing indicators, these IOCs are available after a compromise has been detected and analyzed by others. By the time they are in place, an attack on a vulnerable environment may be underway.
Novel attacks like SolarWinds are more likely to avoid detection for longer. Highly sophisticated threat actors are working methodically in large teams (according to Microsoft) with access to significant resources to develop better methods for evading defenses and hiding their tracks.
Modern cyber defense tactics urge an organization to take command of detect, respond and recover. This shift requires a conscious effort to focus more on cyber-resilient capabilities, which often see less investment and tend to be less mature.
Organizations should match the level of sophistication being directed at evasion with equally savvy capabilities to detect attacks sooner. This enables them to discover the earliest indications of an attack, quickly identify the compromised assets and formulate a cohesive response from the earliest point possible.
Identity as a smarter sensor
Identity and access management (IAM) is extremely well-suited to provide the next generation of smarter sensors. Since identity has unique visibility to the data used to establish trust, it ‘owns’ many of the administrative and runtime controls for defining and enforcing access policies. These include:
- Access baselines identifying who should have access to what.
- A complete, historical accounting of how access was authorized and acquired over time.
- Authoritative identity data for authenticating known users, devices and workloads.
- Metadata for describing users and permissions that drives lifecycle automation.
- Rules that govern the right-sized allocation of access and its business-appropriate use.
Many of the controls owned by IAM are implemented at points of access, including:
- Access gateways, proxies and agents that enforce access control decisions.
- Trust controls that evaluate context and risk associated with each authentication request.
- Policy controls that evaluate context and risk associated with each authorization request.
IAM owns the controls that determine what ‘good’ access looks like throughout the environment, most importantly as it relates to critical infrastructure and privileged access. These controls include:
- Account discovery processes to detect the creation of rogue accounts or the existence of accounts that become orphaned due to lifecycle changes.
- “Drift” controls that detect and correct deviations from access baselines that may include illegitimate elevation of privileges.
- Organizational, functional, policy or role-based methods to define the appropriate assignment of access.
- Certification controls to improve ongoing business accountability related to appropriate access.
- Just-in-time access controls to mitigate risk associated with standing privileged access.
Finally, IAM provides the insight needed to answer these key questions:
- What is the last known good state of access throughout the environment?
- What are the guardrails for normal activity?
- How do we distinguish legitimate activity from illegitimate activity?
Identity threat indicators for detecting abuse of privileged access
The following table provides guidance for deriving threat indicators from existing identity intelligence that may be used to detect threats related to the abuse of privileged access.
The SolarWinds attack is a singular, perhaps once-in-a-generation, cyber event that reveals the monumental challenge of defending organizations against ever-evolving threats and increasingly sophisticated adversaries. It should be viewed by security teams and business leaders alike as another opportunity to elevate the discussion on cyber preparedness and resiliency and to motivate organizational action.
As members of the security community, we should continue to track the SolarWinds attack, which remains an active threat, and work together to develop and promote the next-generation IAM capabilities essential to future threat responses.
By Joshua Lee
About the author: Joshua Lee is Senior Manager, Accenture Security, Digital Identity Strategist.
This article originally appeared at https://www.accenture.com/us-en/blogs/security/growing-relevance-identity-post-solarwinds and is republished with permission.