Sunburst: Some Initial Thoughts

There are a lot of articles about the recent hack involving Solar Winds that has impacted a huge number of organizations around the world from Microsoft to major government agencies. There’s a lot of speculation about the origin of the hack, so I thought I’d talk about why we think the origin is a specific nation-sponsored group, and what the entire thing says about the state of information security in the world right now.

Knock, Knock, Who’s There?#

An adversary is just your opponent in information security: someone who wants something that you wish to deny them. We should talk about what different types of adversaries want out of an attack, and how they go about it. This is something that is critical to a lot of different efforts in infosec, but most of all threat modeling There’s lots of different groupings we could follow, but this is the one I’ve found most helpful, especially when explaining things to other people.

N.B. These are all rough generalizations and are not detailed threat analysis of specific adversaries. Instead, I hope to just give you a general grouping of categories.

Script kiddies#

These are the trolls of the infosec world. They are interested, primarily, in “fame” (or perhaps reputation), and causing chaos. Perhaps there’s some money in it, but it’s not a structured thing like with criminal organizations. Their primary tools are pre-packaged scripts, hence the name, and other well-known things. These are almost never original vectors. They operate on a timeline of hours to days and are not known for their attention span; unless you take into account the “Advanced Persistent Teenager”.

“Hacktivists”#

I hate this term, but it’s one that’s stuck. A tedious portmanteau. These are something greater than a script kiddie, and are differentiated by two things: first, they generally have a clear goal in mind, whether political or social; second, they often have more creative vectors. While they often leverage off-the-shelf attacks (they still work great most of the time, sadly), they also combine them in more unique ways. They generally operate on a timeline of days to months.

Criminal organizations#

Criminal organizations want money. In the end, it’s always about money. Even where it might be used via indirection in blackmail, it’s a capitalist enterprise, and it’s about money in the end. Generally, their skills are better than the hacktivists, as they can pay people to be dedicated to developing new techniques; they also have longer timelines because they’re not as interested in smash and grab. One thing they are commonly associated with is things like ransomware. They generally operate on a timeline of weeks to months.

Nation-sponsored organizations#

This is where things change substantially. Nations aren’t usually (North Korea is an exception here) focused on money as the reward. Instead, they are interested in information or what we would generally call intelligence. Many times this is information is political or military, but it is also often just a nation-sponsored industrial espionage effort, where the information will be handed off to private industry to help them “compete”. The thing that sets these organizations apart is their patience and depth of expertise. Not only do they do enormous original research, they are willing to wait. They absolutely do not want to be detected. To do that, they will move slowly, and as we will see, they tend to go after boring infrastructure because of its force multiplier in the overall effort. Because they are interested in information, what they steal is not easily detectable like it would be with other organizations.

The Indicators#

Let’s start why many people (including me) think this was carried about by a nation-sponsored group using the previous descriptions as a start.

Photo of a toy wooden Trojan horse

‘Trojan Horse’ by ‘No Matter’ Project is licensed with CC BY-NC-ND 2.0.

From the few facts that we have so far, we know that this was a supply chain attack, meaning that while Solar Winds was one of the initial victims, they weren’t the target. Instead, the targets were the customers of Solar Winds; they were downstream in the supply chain. By infecting the Orion software, the adversary could ensure that customers would pick it up quickly (or not, see below) and bring it inside. Think of it as a distributed Trojan Horse attack: indiscriminate but effective.

Next, I think the target itself is a strong indicator of who is behind it. This quote tells it:

“SolarWinds by its nature has very privileged access to other parts of your infrastructure,” [Mike] Chapple, a former computer scientist at the National Security Agency, said in an interview. “You can think of SolarWinds as having the master keys to your network, and if you’re able to compromise that type of tool, you’re able to use those types of keys to gain access to other parts of the network. By compromising that, you have a key basically to unlock the network infrastructure of a large number of organizations.”

It’s not splashy, it’s not fancy, but it’s critical, low profile, “boring”, and the kind of thing that companies are likely to grant enormous privileges to, and yet poorly maintain at the same time. The perfect target for an adversary that thinks about the graph and plays a long game. As an aside, this is why we really do consider things like cryptographic keys and these sorts of administrative systems to be cornerstones rather than simply critical/high/secret: the compromise of these sorts of things lead to a cascade collapse of trust. A nation-sponsored actor knows that, and that’s why they want it.

Next, we have the Microsoft Security Response Center’s customer guidance:

Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization’s global administrator account and/or trusted SAML token signing certificate. This enables the actor to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.

Again, this is boring. But it is staggeringly critical and focused on a core linchpin of trust. SAML is the foundation of cross-organizational identity trust. It’s how company A tells company B that Alice is an employee and allowed to access some resource of company B. It allowed them to pivot even further into organizations and across those organizations.

Finally, we have this, from Volexity about previous run-ins with the specific adversary believed to be involved:

Volexity’s investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie.

As they state, this is not a vulnerability in Duo’s MFA (although there are other vulnerabilities with any MFA system that doesn’t involve some kind of anti-phishing protections, such as WebAuthn), but instead the compromise of a cornerstone secret that was used to bypass the system. Again, this is the attack against a fundamental “boring” component of an organization’s infrastructure.

These are not the actions of amateurs or of anyone in a hurry. These are the actions of a (likely) team of attackers who carefully thought through what they wanted, how they intended to go about getting it, and carried out the attack over, what is likely to be, many months.

Hence, why many of us believe this was a nation-sponsored organization. Which nation is less important, and there are plenty of challenges with attribution. There are certainly plenty of indicators though, both direct and indirect.

The Problem with Patching#

I want to look at the 8-K that Solar Winds filed with the SEC on 14 December 2020. There are two facts that stand out that are indicative of the industry as a whole:

SolarWinds, which said it has about 300,000 Orion customers, put the number of affected customers at about 18,000.

and

Based on its investigation to date, SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 […]

These numbers lead us to believe that in 4 months (92 days) only 6% of their customers we impacted, which we can interpret as the ones who downloaded and installed the malicious update. What does that say about updates? First, we can look at the history of CVE releases for Solar Winds as a whole. While there are a decent number of scary vulnerabilities in there (as there are with most software that anyone bothers to pay attention to), they seem to be in the constellation (see what I did there?) of products around the Orion platform.

Still, modern software is generally dodgy from a security perspective, and a semi-annual update is certainly not an unreasonable goal, if not every 3 months. Based on the 6% adoption in 92 days, we would expect approximately 24% adoption across the year, or at least four years to turn over all the instances. This is horrifying, but it is also unsurprising. Companies struggle with patching for a multitude of reasons that perhaps I’ll explore in another post.

Detecting Nation-Sponsored Organizations#

So how in the world will you detect this kind of advanced attack? I’ll go to something Toby Kohlenberg once told me that has stuck with me. We were discussing the supposed truism that “attackers only have to be right once, defenders have to be right every time”. That’s incomplete. Attackers have to be right as many times as you put up impediments to their progress.

To find someone like a nation, you are dependent on them making mistakes, and they don’t make many mistakes. That means you need a web of detections across the enterprise, with the hope that, with enough different kinds, you will find the random mistake that they make. The misplaced foot. This parallels my “defenses are like Swiss cheese” theory. It may also depend on the luck of the “hey, that’s weird” moment.

Final Thoughts#

So what do you do if you’re targeted by a nation-sponsored organization? How do you detect them? Short answer: you probably won’t, at least not directly. Longer answer: go back and understand who your adversaries are and what they really want from you, versus who you wish they were. There is a deep theme in infosec where people worry about the problems they wish they had and not the ones they actually have. It’s understandable, as the problems most organizations have are boring and solving them doesn’t require some magical technical incantation, but hard political and organizational work.

Like so many things in infosec, though, it’s the basics that matter most.

© 2020 Christopher Petrilli