Sunburst: Some Initial Thoughts
There are a lot of articles about the recent hack involving Solar Winds that has impacted a huge number of organizations around the world from Microsoft to major government agencies. Thereâs a lot of speculation about the origin of the hack, so I thought Iâd talk about why we think the origin is a specific nation-sponsored group, and what the entire thing says about the state of information security in the world right now.
Knock, Knock, Whoâs There?#
An adversary is just your opponent in information security: someone who wants something that you wish to deny them. We should talk about what different types of adversaries want out of an attack, and how they go about it. This is something that is critical to a lot of different efforts in infosec, but most of all threat modeling Thereâs lots of different groupings we could follow, but this is the one Iâve found most helpful, especially when explaining things to other people.
N.B. These are all rough generalizations and are not detailed threat analysis of specific adversaries. Instead, I hope to just give you a general grouping of categories.
Script kiddies#
These are the trolls of the infosec world. They are interested, primarily, in âfameâ (or perhaps reputation), and causing chaos. Perhaps thereâs some money in it, but itâs not a structured thing like with criminal organizations. Their primary tools are pre-packaged scripts, hence the name, and other well-known things. These are almost never original vectors. They operate on a timeline of hours to days and are not known for their attention span; unless you take into account the âAdvanced Persistent Teenagerâ.
âHacktivistsâ#
I hate this term, but itâs one thatâs stuck. A tedious portmanteau. These are something greater than a script kiddie, and are differentiated by two things: first, they generally have a clear goal in mind, whether political or social; second, they often have more creative vectors. While they often leverage off-the-shelf attacks (they still work great most of the time, sadly), they also combine them in more unique ways. They generally operate on a timeline of days to months.
Criminal organizations#
Criminal organizations want money. In the end, itâs always about money. Even where it might be used via indirection in blackmail, itâs a capitalist enterprise, and itâs about money in the end. Generally, their skills are better than the hacktivists, as they can pay people to be dedicated to developing new techniques; they also have longer timelines because theyâre not as interested in smash and grab. One thing they are commonly associated with is things like ransomware. They generally operate on a timeline of weeks to months.
Nation-sponsored organizations#
This is where things change substantially. Nations arenât usually (North Korea is an exception here) focused on money as the reward. Instead, they are interested in information or what we would generally call intelligence. Many times this is information is political or military, but it is also often just a nation-sponsored industrial espionage effort, where the information will be handed off to private industry to help them âcompeteâ. The thing that sets these organizations apart is their patience and depth of expertise. Not only do they do enormous original research, they are willing to wait. They absolutely do not want to be detected. To do that, they will move slowly, and as we will see, they tend to go after boring infrastructure because of its force multiplier in the overall effort. Because they are interested in information, what they steal is not easily detectable like it would be with other organizations.
The Indicators#
Letâs start why many people (including me) think this was carried about by a nation-sponsored group using the previous descriptions as a start.
âTrojan Horseâ by âNo Matterâ Project is licensed with CC BY-NC-ND 2.0.
From the few facts that we have so far, we know that this was a supply chain attack , meaning that while Solar Winds was one of the initial victims, they werenât the target. Instead, the targets were the customers of Solar Winds; they were downstream in the supply chain. By infecting the Orion software, the adversary could ensure that customers would pick it up quickly (or not, see below) and bring it inside. Think of it as a distributed Trojan Horse attack: indiscriminate but effective.
Next, I think the target itself is a strong indicator of who is behind it. This quote tells it:
âSolarWinds by its nature has very privileged access to other parts of your infrastructure,â [Mike] Chapple, a former computer scientist at the National Security Agency, said in an interview. âYou can think of SolarWinds as having the master keys to your network, and if youâre able to compromise that type of tool, youâre able to use those types of keys to gain access to other parts of the network. By compromising that, you have a key basically to unlock the network infrastructure of a large number of organizations.â
Itâs not splashy, itâs not fancy, but itâs critical, low profile, âboringâ, and the kind of thing that companies are likely to grant enormous privileges to, and yet poorly maintain at the same time. The perfect target for an adversary that thinks about the graph and plays a long game. As an aside, this is why we really do consider things like cryptographic keys and these sorts of administrative systems to be cornerstones rather than simply critical/high/secret: the compromise of these sorts of things lead to a cascade collapse of trust. A nation-sponsored actor knows that, and thatâs why they want it.
Next, we have the Microsoft Security Response Centerâs customer guidance :
Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organizationâs global administrator account and/or trusted SAML token signing certificate. This enables the actor to forge SAML tokens that impersonate any of the organizationâs existing users and accounts, including highly privileged accounts.
Again, this is boring. But it is staggeringly critical and focused on a core linchpin of trust. SAML is the foundation of cross-organizational identity trust. Itâs how company A tells company B that Alice is an employee and allowed to access some resource of company B. It allowed them to pivot even further into organizations and across those organizations.
Finally, we have this, from Volexity about previous run-ins with the specific adversary believed to be involved:
Volexityâs investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie.
As they state, this is not a vulnerability in Duoâs MFA (although there are other vulnerabilities with any MFA system that doesnât involve some kind of anti-phishing protections, such as WebAuthn ), but instead the compromise of a cornerstone secret that was used to bypass the system. Again, this is the attack against a fundamental âboringâ component of an organizationâs infrastructure.
These are not the actions of amateurs or of anyone in a hurry. These are the actions of a (likely) team of attackers who carefully thought through what they wanted, how they intended to go about getting it, and carried out the attack over, what is likely to be, many months.
Hence, why many of us believe this was a nation-sponsored organization. Which nation is less important, and there are plenty of challenges with attribution . There are certainly plenty of indicators though, both direct and indirect.
The Problem with Patching#
I want to look at the 8-K that Solar Winds filed with the SEC on 14 December 2020. There are two facts that stand out that are indicative of the industry as a whole:
SolarWinds, which said it has about 300,000 Orion customers, put the number of affected customers at about 18,000.
and
Based on its investigation to date, SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 [âŠ]
These numbers lead us to believe that in 4 months (92 days ) only 6% of their customers we impacted, which we can interpret as the ones who downloaded and installed the malicious update. What does that say about updates? First, we can look at the history of CVE releases for Solar Winds as a whole. While there are a decent number of scary vulnerabilities in there (as there are with most software that anyone bothers to pay attention to), they seem to be in the constellation (see what I did there?) of products around the Orion platform.
Still, modern software is generally dodgy from a security perspective, and a semi-annual update is certainly not an unreasonable goal, if not every 3 months. Based on the 6% adoption in 92 days, we would expect approximately 24% adoption across the year, or at least four years to turn over all the instances. This is horrifying, but it is also unsurprising. Companies struggle with patching for a multitude of reasons that perhaps Iâll explore in another post.
Detecting Nation-Sponsored Organizations#
So how in the world will you detect this kind of advanced attack? Iâll go to something Toby Kohlenberg once told me that has stuck with me. We were discussing the supposed truism that âattackers only have to be right once, defenders have to be right every timeâ. Thatâs incomplete. Attackers have to be right as many times as you put up impediments to their progress.
To find someone like a nation, you are dependent on them making mistakes, and they donât make many mistakes. That means you need a web of detections across the enterprise, with the hope that, with enough different kinds, you will find the random mistake that they make. The misplaced foot. This parallels my âdefenses are like Swiss cheeseâ theory. It may also depend on the luck of the âhey, thatâs weirdâ moment.
Final Thoughts#
So what do you do if youâre targeted by a nation-sponsored organization? How do you detect them? Short answer: you probably wonât, at least not directly. Longer answer: go back and understand who your adversaries are and what they really want from you, versus who you wish they were. There is a deep theme in infosec where people worry about the problems they wish they had and not the ones they actually have. Itâs understandable, as the problems most organizations have are boring and solving them doesnât require some magical technical incantation, but hard political and organizational work.
Like so many things in infosec, though, itâs the basics that matter most.