Stopping Account Takeovers and Stolen Passwords with Anchored Ephemeral Credentials

Welcome back to our ongoing retrospective blog series on the two year anniversary of the SolarWinds attack. If you haven’t checked out parts one and two of the series, you can find them here. If you’d like to get straight into the nitty-gritty, on the other hand, you can check out the complete whitepaper here:

In our first two installments, we went through the ways in which Russian state operative group, Cozy Bear, used SUNBURST malware to hijack privileged SolarWinds credentials, which were then used to exfiltrate SolarWinds’s trusted SAML token signing certificate inside their network. Equipped with the signing certificate, the threat actors were able to sign malicious tokens when needed, which granted the group unfettered access to the SolarWinds network for over nine months before they left on their own accord. We also explored the ways in which Gradient Cybersecurity Mesh (GCM) effectively eliminates the threat of stolen credentials by leveraging hardware roots of trust and stops malware with remote attestation, by continuously measuring and validating the full stack security endpoint posture.

In this third installment of four, we’ll take a closer look at the ways in which long-lived credentials such as these undermine zero-trust architectures and how Gradient Cybersecurity Mesh (GCM) enables the issuance of Secure Ephemeral Credentials, removing the need for cumbersome revocation and renewal processes.

The Trouble With Long-Lived Credentials

Digital infrastructure fails to keep pace with the dynamic, ephemeral nature of today’s security. This is due in no small part to the cost, complexity, and resource requirements of credential revocation and renewal. As a result, most systems utilize long-lived credentials that remain valid for far longer than it would take for an attacker to compromise them.

This problem stands in high relief in the SolarWinds attack with stolen credentials at its center. In addition to the other mitigations, if the SolarWinds signing certificate had just been made short-lived, if the tokens it issued were made short-lived, or if the platform hosting the signing certificates had been anchored to the credentials, then the initial compromise would have been prevented.

And yet, two years later, most systems continue to rely on long-lived credentials and operate with significant privileges and access.

That being said, the trend-line is clear — major tech players are recognizing the inherent risk of long-lived credentials and are pushing for shorter lifetimes to keep ahead of threats. Both Apple and Google have pushed for shorter certificate lifetimes, with Apple limiting certificates to no longer than one year. Meanwhile, Mozilla, Facebook, and Cloudflare have proposed short-lived delegatable TLS credentials in their own sphere.

Renew Credentials Faster Than Threats Actors Can Steal Them— with Anchored Ephemeral Credentials

We believe that one-year certificates are, nevertheless, far too long. A one-year certificate would have still given Cozy Bear all the time they needed to execute the SolarWinds attack. That’s why Gradient developed our third GCM innovation: Secure Ephemeral Credentials.

Don’t be spooked by what you already believe to be true about ephemeral credentials (e.g. “They’ll break my infrastructure” or “They’re too hard to manage”). The Gradient team has worked tirelessly to enable a seamless switch from static, long-lived credentials to secure ephemeral credentials without breaking existing infrastructure or protocols — such as Transport Layer Security (TLS) — or adding the cumbersome overhead of credential rotation.

The way we manage to do this is by plugging Gradient’s secure verifier — provided as a SaaS offering, on premises instance, or hybrid solution — into your existing identity system. For example, the secure verifier will work with your existing Certificate Authority (CA) or Public Key Infrastructure (PKI) as an intermediate CA or key issuer. Plus, we’ve automated away the credential rotation process to ensure your IT and DevSecOps teams can focus on what counts.

Stay Ahead of Threats with Gradient Cybersecurity Mesh

By moving to anchored ephemeral credentials, Gradient Cybersecurity Mesh shifts the balance of power in cyber warfare in your favor, making it prohibitively expensive to compromise any given asset.

Stay tuned for the next installment of our SolarWinds series, where we’ll discuss the fourth and final Gradient Cybersecurity Mesh innovation — Remotely Attested Secure Enclave Processors, which, as of 2021, have been benchmarked as the world’s most secure.