Overview
Effective implementation of a zero trust security strategy could likely have prevented one of the most damaging cyberattacks in US history, the full impacts of which remain far from completely realized. This whitepaper explores how SolarWinds, or any of the 18,000 companies compromised by the Sunburst malware during the breach could have leveraged zero trust principles to detect and neutralize the attack in its earliest stages. These strategies, coupled with a practical prevention posture, how have identified malicious behavior and initiated immediate action.
Background
The attack was an advanced and covert campaign, allowing attackers to remain undetected for upwards of 18 to 24 months. Attackers launched at least four waves of compromise. Each wave penetrated more deeply into the target environments, stealing insights into how the US government and enterprises think and operate.
In the first wave, a nation-state actor compromised SolarWinds by gaining access to the leading network software firm’s enterprise networks. A second wave targeted the SolarWinds product development environment, injecting malicious code into its popular and proprietary Orion software. The third wave delivered trojanized code to SolarWinds customers via a remote product patch update. The resultant backdoors let attackers target authentication systems and gain access to global administrator accounts. Finally, using trusted credentials and remote access, the attackers launched a devastating fourth wave, stealing confidential data and disrupting business activities. The full impact on SolarWinds’ 18,000 customers remains undetermined.
Each wave’s lesson is that organizations cannot monitor network activity with the granularity needed to detect and contain trusted entities’ anomalous activity. Sunburst’s exploitation of situational blindness isn’t new. Predecessors, including NotPetya, WannaCry, and others, have also capitalized on this vulnerability. While extraordinarily damaging and highly sophisticated, the multi-phase SolarWinds breach is just another wake-up call, a red flag alert that current cyber-defense strategies need to evolve.
What is the Solution?
StealthPath proposes that a zero trust strategy, guided by our StealthPath Zero Trust Capability Model (ZTCM), is one that organizations should pursue to evolve their security posture and strengthen their cyber and operational defenses. The ZTCM incorporates the principal tenants of zero trust security to help organizations establish a holistic implementation strategy to monitor and validate network activity continuously, at a granular level. Based on the concept that an organization should not inherently trust anything inside or outside its perimeters, a zero trust environment narrows access using security controls that continuously monitor and verify all connections before authorizing requested operations. A zero trust strategy is about establishing the right policies, identifying the optimal enforcement points, then effectively enforcing those policies at the identified enforcement points. An increased number of enforcement points provide greater visibility and more granular control of traffic flow into, out of, and across the network.
How StealthPath’s approach eliminates inherent trust and prevents exploits
The StealthPath Zero-Trust Capability Model provides a new perspective. It enables organizations to evaluate their security and operational integrity posture against acceptable risk within a continuous assessment framework.
ZAlert, StealthPath’s keystone product, uses AI and advanced analytics to build a complete model of normal system behavior. Its behavioral engine flags unusual events, providing immediate context for classification and response. Real-world feedback continuously improves its understanding of nominal behavior and its sensitivity to potentially threatening anomalies.
In the case of SolarWinds, ZAlert’s capabilities could have detected suspicious activity as early as the preliminary “reconnaissance” phase of the attack. (This is the first link of the Lockheed Martin “cyber kill chain” model of cyber exploits.) The hacker’s initial probing for vulnerabilities inevitably required new connections between internal and external devices that ZAlert could have flagged for investigation.
Even if a vulnerability were identified and exploited, abnormal behavior in the next kill chain phases would have set off additional alarms. ZAlert’s functionality goes beyond detecting novel connections by also alerting of atypical payloads and unusual transaction size, frequency, or timing. ZAlert’s situational awareness can completely resolve each down to the granular device and transaction level. The result is an early warning of abnormal behaviors, providing the context and detail to respond quickly before damaging exploitation or operational compromise.
For example, consider the interactions between two “smart device” components of an HVAC system. Under zero trust, a policy administrator would authenticate each device and authorize their connection before data was allowed to flow. That authorization would expire when communication ceased and would go through approval again at the next interaction. There is no persistent implicit trust. The frequency of challenge and verification of Zero trust is a significant evolution of the “hard shell/soft interior” of traditional, perimeter-based security. Additional layers provided by advanced identification techniques, AI pattern recognition, and behavioral baselines can tighten access even further, potentially to the level of individual commands.
A consistent approach to zero trust
From its inception in 2017, StealthPath has focused on developing a holistic zero trust strategy and a purpose-built solutions portfolio. The Zero Trust Capability and Maturity Models (ZTCMM), developed by a leading global security practitioner and former White House Executive Fellow, are the core of our strategy, consulting, and product offerings.
The ZTCMM provides a comprehensive architectural blueprint for zero trust assessment and implementation. Our model is a bridge between the massive detail of NIST 800-53 Security & Privacy Controls and the high-level philosophy and approach of NIST 800-207 Zero Trust Architecture. Our model provides a set of holistic controls designed to guide a phased adoption and effective implementation path of zero trust practices across an organization’s entire enterprise or environment of interest. Our clients can navigate to a zero-trust posture with the ZTCMM as a roadmap and metrics framework. By enhancing their situational awareness, they build the capability to detect and contain malicious traffic that would elude traditional cybersecurity protections. A holistic approach, ZTCMM addresses the danger of an ad hoc, patchwork approach that inevitably leaves significant gaps and vulnerabilities.
The ZTCMM is vendor-agnostic because a comprehensive zero trust implementation strategy requires more than one product. The optimal approach most likely combines multiple software and hardware products, along with risk-based policies and processes.
StealthPath products are purpose-built to be complementary. They are agentless, deployable without significant changes to networks or solutions or in any way impeding operations. They supercharge rather than displace existing cybersecurity solutions.
- ZAware solution provides full asset visibility through actionable reports to quickly understand the entities and interactions in an environment
- ZAlert builds on Zaware functionality, continuously monitoring and classifying network traffic, leveraging behavioral and other advanced analytics to detect potential threats at a highly granular level. Near real-time alerts can be integrated with market-leading SIEM solutions.
Complemented by a full range of training and consulting services, the StealthPath offerings are the means for organizations to achieve dynamic reliability through systems and operations integrity.
Conclusion
We may never know the full impact of the SolarWinds breach. But we know that real-time awareness of the attack as it evolved could have mitigated the damage if not stopped it before it started. StealthPath Zero Trust Capability Model specifies the granular controls needed for actionable awareness and response at multiple points throughout the attack sequence. ZAware and ZAlert can play a vital role, with comprehensive asset discovery and advanced continuous monitoring. Even though Sunburst had stolen trusted credentials, it would face unending challenges. A zero trust solution would verify every access, compare every command to past behavior, and block any attempt to connect to unapproved internal or external resources.
This attack has been an important lesson for everyone in information security, whether you were impacted directly or not. Current cyber-defense strategies are too often blind to internal compromise, and once an adversary gets in, all compromise is internal. The solution is to continuously monitor networked interactions with a deep understanding of context and enhanced sensitivity to subtle variations that might reveal significant threats.
It’s not just about future attacks. Advanced persistent threats are most likely already dormant inside most environments. The challenge is to find them before they wake up.
For more information about StealthPath’s training, consulting services, solutions, or to schedule a demo, please contact info@stealthpath.com or call (571) 888-9480.