The cybersecurity industry was deeply shaken by the Solorigate attack, the impact of which is still being felt in the cybersecurity space.  Several companies have already started addressing this challenge with their product suites. This particular attack will have a ripple effect in the upcoming quarters and highly influence the service industry market; especially the identity and access management (IAM) service industry. In this blog, we have analyzed this attack and presented some tips on preventing or containing the impact using IAM tool set.

Attack over SolarWinds vulnerability (Solorigate / Sunburst / Sophisticated Golden SAML attack)

Source of the attack: Trojan code in Orion Software (network monitoring tool) from SolarWinds

Attack vector: Active directory, thereby anything on premise network and can extend to services in the cloud or the software supply chain

Impact: As per New York Times, 250 organizations may have been impacted with this vulnerability

Attack description: With a Trojan inserted in one of the patches on Orion software in the month of March 2020, hackers could get hold of the domain controller, ADFS (a critical asset of an enterprise) and could compromise the SAML signing certificate. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. Further, they can exploit the whole network (both on-premise and cloud).

How it came into the limelight: FireEye, a cybersecurity company, brought this to attention when one of its users was called for Multi-factor Authentication (MFA) registration during a hacker attempt of lateral movement.

How can such an attack be mitigated with an IAM toolset

1. MFA and password-less solutions: In this case, by bringing this attack to the limelight, MFA has played the vital role of preventive control. Hence, enterprises should enforce MFA for all types of users (both internal and external) while accessing any critical servers/services. The service should be rendered without affecting user experience.
2. PAM Transformation (PAM 3.0): Extend PAM protection to all critical assets which include active directories, ADFS, network devices, storage devices, and thick client applications. In addition, solutions like Microsoft Defender for Antivirus in combination with a PAM solution like CyberArk suite of products (Core PAS+ EPM solution) can restrict the execution of malicious code on endpoints / critical servers.
3. Predictive identity governance (IAG 3.0): Access / authentication requests and events have to be monitored by leveraging machine learning and deep learning algorithms, and access has to be provisioned or de-provisioned according to the risk of those access events. Security teams must also ensure that just-in-time and just enough privileges provisioning is enforced.
4. Adaptive (Risk) based authentication in enterprise and consumer IAM: Generate risk on the basis of users' behavior (Geo-location, geo velocity, IP range) while they access resources (which includes an application, data and infrastructure) and search for any logins to service providers using SAML SSO, which do not have corresponding 4769, 1200 and 1202 events in the domain, so that corresponding risk can be increased, while access can be restricted/denied/validated with MFA.

Since identity is the new perimeter, proper implementation of IAM tool set plays a vital role in preventing / eliminating cyber-attacks of an enterprise. Enterprise must focus on implementing the solution by following the security standards, frameworks offered by industry bodies such as NIST (National Institute of Standards and Technology), CSA (Cloud Security Alliance), NCSA (National Cyber Security Alliance), ISACA (Information Systems Audit and Control Association), Information Systems Security Certification Consortium, Inc., (ISC) etc. We (Wipro) as recognized by leading research and analyst firms such as Gartner, Forrester, IDC, Everest Group, HFS Research, ISG, NelsonHall, are here to partner with you in establishing preventive and Detective cyber security controls by following the security standards, Zero Trust Strategy, Security by Design principles and Defense in Depth Practices.