Skip to content

On the Two Year Anniversary, Another SolarWinds Scale Attack is Due

Keeping Credentials Under Lock and (Cryptographic) Key

In the now infamous SolarWinds compromise, at least 18,000 organizations, including multiple U.S. intelligence agencies and others leveraging state of the art cybersecurity tools and best practices, were silently and systematically breached. 

What made SolarWinds so damning is not that these breaches occurred at such scale, but that (1) they occurred with sophisticated organizations that were already leveraging many of the best available tools for authentication (multi-factor authentication (MFA), conditional access, credential-based authentication) and defense (endpoint detection & response (EDR), XDR); and (2) that the attackers were able to sit undetected inside such networks for so long. 

Two years later, we aren’t any better off against a SolarWinds style attack. This despite a Presidential Executive Order that brought the concept of “Zero Trust” into the main stream, a myriad of corporate initiatives, and billions of dollars invested in additional cyber defenses. Current solutions, including many with promising titles – like “Zero Trust Remote Access”, “passwordless MFA”, and the like - still leave companies of all sizes exposed to the same kinds of third-party vulnerabilities and compromise.

In this blog series, we’ll revisit the SolarWinds breach, identify tactics and techniques leveraged in the attack, and reveal the four core cybersecurity innovations that Gradient Cybersecurity Mesh uses to eliminate them. We address these in depth in our Whitepaper: Securing Digital Infrastructure Against the Next SolarWinds Attack

Part One: Cozy Bear Takes the Keys to the Castle

The Russian Foreign Intelligence Service (SVR) hackers (aka “Cozy Bear”), reported to be behind the SolarWinds hack, employed various tactics — but perhaps the most concerning among them was their successful theft of authentication credentials. Rather than brute-forcing SolarWinds’s authentication tools, the hackers simply stole privileged credentials (using SUNBURST malware) and used them to walk undetected right through the proverbial front door. (This is part of a larger theme of going around the authentication wall: e.g., you can think of MFA bypass attacks that are gaining popularity as a less sophisticated way around the wall: stealing the credentials one-off rather than stealing the thing minting credentials in the first place). Once inside the network, the attackers used their admin permissions to access the trusted SAML token signing certificate. Equipped with the SAML certificate, they used it to sign access tokens for any application they wished, allowing them unfettered access to the organization’s networks and applications for over nine months without creating a single alert (not surprising given that all these illegitimate access tokens had been signed by a trusted, albeit hijacked, authority).

By way of comparison: had this been a physical breach, rather than a cybersecurity one, it would have been as if Cozy Bear had printed their own set of keys, unlocked the door, and walked right in through the front door in broad daylight – and had free reign for months.  Rather than keeping tabs on the keys themselves, our metaphorical security guard continued to look vigilantly for attempts of forced entry and saw none.

Today’s Tools Make Credentials an Easy Target

Though Cozy Bear’s specific methods were novel, the targeting of credentials in cyber attacks is far from it. In fact, it’s estimated that >60% of all data breaches today are the result of stolen credentials!

Prevailing approaches to credential verification simply don’t go far enough to ensure that: a) the credentials being used are legitimate; and, b) that the individuals – or machines – presenting them are who they say they are. There’s nothing about today’s credentials that uniquely and provably associates them with their intended user, device, or API. They are keys that can be turned by any hand. And there are many ways hackers can get their hands on them. 

In addition to direct exfiltration, today’s credential issuance and storage mechanisms are also frequently compromised by man-in-the-middle attacks, phishing attacks, and more. Despite being the most crucial tool for conveying trust in our digital world today, credentials are too often low-hanging fruit for threat actors. 

Cybersecurity Mesh Eliminates Credential Theft as a Risk

If credentials are low-hanging fruit under today’s cybersec paradigm, Gradient Cybersecurity Mesh (GCM) ensures that they remain entirely out of reach for malicious actors. 

Unlike the prevailing Detection & Response (D&R) solutions — whose answer to stolen credentials is to hope malicious actors give themselves away once already inside the perimeter — GCM makes it virtually impossible to steal the credentials in the first place.

Cybersecurity Innovation #1: Eliminating the threat of stolen credentials

If available, Gradient Cybersecurity Mesh (GCM) can leverage the hardware roots of trust already present on most enterprise devices and instances — including Trusted Platform Modules (TPMs), Hardware Security Modules (HSMs), and Trusted Execution Environments (e.g. Intel SGX, AMD SEV) — to anchor cryptographic keys to platforms and make it practically impossible to steal them. If desired, GCM can be configured such that one can inspect the credential itself to see that it was issued to a particular machine, or machine+user combination, enabling peer-to-peer level secondary enforcement. (And critically, this can be done privacy preserving).

Furthermore, we architected Cybersecurity Mesh to support and enable ephemeral credentials - issued for as short a period of time as practical. GCM moves your infrastructure from static, long-lived cryptographic keys to short lifetime credentials that become useless by the time a hacker gets their hands on them – and does so fully automated - without breaking existing protocols. These ephemeral credentials have many simplifying effects, among them allowing users to make nearly anything GCM capable, even on platforms without any kind of root of trust.

Learn More About Cybersecurity Mesh

If you’re hoping to finally realize the promise of true Zero Trust, stand by for Part 2, where we introduce Gradient Cybersecurity Mesh’s second innovation: Full-Stack Attestation.

Or, 

Jump Ahead and Download the Complete SolarWinds Whitepaper Now