HomeStrategyTop lesson from SolarWinds attack: Rethink Identity security

Top lesson from SolarWinds attack: Rethink Identity security

The many lessons that were from the SolarWinds hack, one security breach most companies don’t realize that identity infrastructure is a key cyber-attack attack target.According to Gartner’s Peter Firstbrook, who shared his views on the key lessons gained of the SolarWinds Orion security vulnerability at the company’s Security & Risk Management Summit which is the Americas virtual conference that was held this week.

The SolarWinds attack that is advancing towards one year since its initial disclosure one year later has been a wakeup call for the industry due to its complexity, scale as well as the delivery technique. The attackers compromised the software supply chain by introducing malicious code into SolarWinds Orion. SolarWinds Orion network monitoring application and then disseminating updates to around 18,000 customers.

The breach went unnoticed. The hackers, who’ve been linked to Russian information via U.S. authorities, are believed to have had access to over up to nine weeks “some of the most sophisticated networks in the world,” that includes cybersecurity firms FireEye, Microsoft, and the U.S. Treasury Department, according to Firstbrook the executive vice research director and analyst at Gartner. Other federal agencies affected were those belonging to those of the Departments of Defense, State, Commerce and Homeland Security.

Firstbrook spoke about his experiences with the SolarWinds attack, first discovered in December. 13th of January, 2020 by FireEye during two sessions at two sessions at the Gartner Summit this week. The security implications of identity theft should be at the the top of business at the time of the talks and also an interview with journalists.

The primary focus should be on the persona

When requested by VentureBeat what was his most important takeaway in the SolarWinds incidents, Firstbrook said the incident revealed the “the identity infrastructure is a target.”

“People need to recognize that, and they don’t,” said the official. “That’s my most important message to you that you’ve put lots of money for identity, but the focus is what you do to let the good people in. It’s really important to invest some time understanding the signs the identity infrastructure is damaged and then maintaining the infrastructure.”

Firstbrook discovered a specific case in which SolarWinds hackers were able to escape MFA commonly referred to as multi-factor authentication (MFA) which is frequently advertised as one of the most effective ways to stop accounts from being taken over. The hackers were able to circumvent MFA by taking a web-based cookie Firstbrook said. This was possible because of the outdated technology used, and was is classified as MFA according to Firstbrook.

“You’ve to keep up with the identity infrastructure. It’s important to know the moment it’s been compromised and also when someone has gained access to your credentials or has stolen your credentials and presenting them as authentic,” he added.

Identity management in the digital age is often a challenge for businesses as many businesses are suffering from identity expansion. This can include human, machine and application identities (such as robotic process automation). A recent study commissioned by identity security vendor One Identity revealed that nearly all organizations–95%–report challenges in digital identity management.

The SolarWinds attackers exploited this vulnerability to manage of identities. In a discussion with the whole Gartner meeting on the Thursday Firstbrook stated the hackers had been “primarily focused on attacking the identity infrastructure” during the SolarWinds campaign.

Other techniques employed by attackers comprised getting passwords which allowed them to gain access to more privilege levels (known in the field of Kerberoasting) and also to take over SAML certificates, which allow identity authentication via cloud services; and establishment of brand new account through an Active Directory server, according to Firstbrook.

Moving laterally

Due to these accomplishments they were adept at using their position within their position in the Active Directory environment to jump out of the on-premises system in the which SolarWinds used to be operating, SolarWinds Server was operating, and then onto Microsoft Azure cloud. Microsoft Azure cloud the hacker declared.

“Identities are the connective tissue that attackers are using to move laterally and to jump from one domain to another domain,” Firstbrook said.

Identity management and access management systems management could be “clearly a rich target opportunity for attackers,” declared the researcher. declared.

Microsoft recently revealed details of another security breach believed to have come from a part from the Russian linked entity, Nobelium, which involved an implant used to target Active Directory servers, Firstbrook declared.

“They were using that implant to infiltrate the Active Directory environment– to create new accounts, to steal tokens, and to be able to move laterally with impunity–because they were an authenticated user within the environment,” said the administrator.

Tom Burt, a corporate vice president at Microsoft Tom Burt, Microsoft’s corporate vice president, stated in an article on Microsoft’s blog about Microsoft’s “wave of Nobelium activities this summer” included attacks against 609 customers. The number of attacks was more than 23,000. attempts on those customers between July 1 and October. 19 “with a success rate in the low single digits,” Burt said in the blog post.

The monitoring of the Identity Infrastructure

The most frequently-asked concerns in the aftermath of the SolarWinds breach, Firstbrook said, is how do you prevent the incident in your supply chain having an impact on your company?

“The reality is, you can’t,” he said.

It is imperative for companies to exercise caution in deciding the software they will use. The likelihood of detecting malware in the software of a different vendor is “extremely low,” Firstbrook said.

What companies can do is to prepare themselves for the event that this could happen. The most crucial part of this is checking the security infrastructure for identification, he said.

“You want to monitor your identity infrastructure for known attack techniques–and start to think more about your identity infrastructure as being your perimeter,” Firstbrook explained.


VentureBeat’s aim is to create an internet-based townsquare for technologically adept decision makers to gain knowledge on technology that has revolutionized the world and to facilitate transactions.

Our site provides vital details on data technology and strategies to assist you in managing your businesses. We invite you to become an active participant in our community, and gain access to:

The most up-to-date information regarding the topics that are of interest to you.

Our newsletters

Gated thought-leaders content with gated users. Discount tickets to events that are highly sought-after like Transform 2021: Explore More  social networking and numerous other functions.


Most Popular

How do I protect my brand

Dermal fillers Treatment

Recent Comments