Revelations About Securing Hybrid Cloud Environments Post-SolarWinds

March 31, 2021 Justyna Kucharczak

Hybrid Cloud Cybersecurity SolarWinds

In the early 1960s, J.C.R. Licklider, director of the Pentagon’s Information Processing Techniques Office (IPTO), spoke of a future “intergalactic computer network” that would serve as the “main and essential medium of informational interaction for governments, institutions, corporations, and individuals.”

Today, Licklider’s vision is very much reality. Cloud services and technologies are ubiquitous, enabling organizations of all sizes and across all sectors to connect, collaborate and push the boundaries of innovation. Yet those who wish to do harm are also making strides. Malicious actors understand four things:

  • That cloud misconfigurations are rampant.
  • Even “ordinary” user identities in the cloud can be configured with as much power as traditional privileged admin accounts.
  • They can use familiar methods from on-premises attacks (like privilege escalation and lateral movement) while covering more ground in less time by taking the cloud route.
  • When a cloud identity is overpermissioned (which happens all the time), they can often use it to move around without detection.

The Digital Supply Chain Attack That Reached Into the Cloud and Around the World

The massive SolarWinds breach illustrates this increased focus on the cloud — particularly the privilege escalation stage of a multi-step digital supply chain attackafter the attacker had successfully infiltrated a SolarWinds Orion customer. Here’s a look:

Orion software requires privileged access to run, whether it is installed on physical servers on-premises or on virtual machines in the cloud. When the SUNBURST malware reached a victim organization via software update, it reportedly already had elevated privileged access, making it easier for the attacker to establish a foothold in the Orion software. And by doing so,  the attacker may have been able to extract privileged API keys, allowing them to “own” the organization’s cloud right away.

In some instances, the attacker used the sophisticated “Golden SAML” attack technique, leveraging their privileged access to target the popular SAML authentication standard, which is used to establish trust between on-premises and cloud environments. The adversary gained admin access to the victim’s Active Directory Federation Services (ADFS) server, stole the primary secret of this identity provider, and then used it to forge SAML tokens and bypass MFA completely. With unfettered privileged access to nearly any of an organization’s systems and applications, the attacker could impersonate virtually any identity and move laterally between cloud and on-premises systems with ease.

Apples-to-Oranges: The Hybrid Cloud Security Conundrum

Nearly every organization uses cloud services, and 80% have taken a hybrid cloud approach — keeping some infrastructure on-premises and moving other functions and services to the cloud, according to a 2021 Flexera survey. These workloads are often spread across multiple public cloud platforms for myriad reasons: business flexibility, specific business line needs, prior acquisitions, geographic coverage and more. In fact, a recent Cloud Security Alliance study found 81% of organizations have a multi-cloud strategy in place, while the same Flexera report estimates organizations use or experiment with an average of 3.7 public cloud providers.

Securing the operations of hybrid cloud environments is uniquely challenging. These diversified, yet highly interconnected environments introduce new types of threats and expanded attack surfaces that make security teams’ jobs a lot more difficult. Since traditional security approaches don’t always translate in cloud environments, there’s a lot of new information and technology to learn but rarely enough time or resources. Add in the complexity of DevOps tools, automation, countless SaaS apps and shadow IT, and it’s easy to see why security teams are overwhelmed.

As more organizations “assume breach” and focus on ways to proactively identify and respond to in-progress attacks, security teams are looking for more consistent ways to secure high-value data and assets, no matter where they reside. The most effective follow these best practices:

1. Get a Full View of Identity. Since nearly every targeted cyberattack today involves the compromise of identity and abuse of privileged credentials, most teams begin by taking inventory of their privileged and identity landscape. They then establish a single, centralized way to visualize and manage credentials such as passwords, access keys and API keys across their hybrid cloud environment.

2. Follow Security Best Practices Outlined by Your Federated Identity Provider. In the case of SolarWinds, attackers abused trust in federated authentication environments to access critical assets and data. It is crucial to revisit and follow the security best practices outlined by your federated identity provider to reduce risk of abuse in these powerful mechanisms. For example, Microsoft offers a comprehensive guide for secure planning and deployment of Active Directory Federation Services and Web Application Proxy. For additional guidance on Golden SAML detection and mitigation activities, read this piece by CyberArk Labs and the NSA advisory.

3. Reevaluate “High-Value” Assets. When securing access to high-value, high-risk assets, such as Active Directory and domain controllers, cloud management consoles and portals sometimes get overlooked. But if compromised, an attacker can gain full control of an organization’s cloud services and resources. Root-level user accounts (or “break glass accounts”) should be vaulted and rotated as any other privileged credentials. Federate access to these consoles, along with virtual machines and CLIs, and authenticate with your preferred identity provider.

Enforcing strong PAM controls, such as securing and rotating AWS root accounts protected with MFA, will help to reduce exposure, while continuously managing privileged sessions can help security teams spot potential issues earlier and make it harder for attackers to maintain persistence. After the highest value targets are secured, teams can expand coverage to other areas.

4. Be Consistent About Least Privilege and Enforce it Everywhere. Many security-minded organizations are shifting to Zero Trust security frameworks that employ the principle of least privilege to block privilege escalation and lateral movement. Many are using frameworks such as the MITRE ATT&CK and Cloud Security Alliance’s Cloud Control Matrix to guide them. Least privilege approaches limit the number of users with admin privileges and replace standing access with just-in-time privileged access. In cloud environments, this also entails conducting regular entitlement reviews to identify unused or misconfigured IAM permissions that pose heightened risk. AI-powered solutions and integrations can help automate identification and remediation of excessive cloud permissions.

5. Secure Human Access with Adaptive MFA and SSO. Identity as a Service (IDaaS) capabilities that can strongly authenticate human identities are integral to a defense-in-depth security approach — no matter the environment. To minimize end-user friction, consider solutions that integrate with major cloud providers’ native capabilities — AWS Single Sign-On, for example — to enable automatic provisioning of users/groups and simplify access to authorized accounts and resources. It’s critically important to layer IDaaS protections with strong PAM controls to reduce the risk of stealthy bypass techniques like Golden SAML.

Consistency to Reduce Dangerous Cloud Security Cracks 

Once a far-off “intergalactic computer network” dream, the cloud now powers our world and repositions the security perimeter around individual identities.

The SolarWinds attack reminds us that attackers are innovating in lockstep with defenders and turning to the cloud as a force multiplier. Staying ahead will require organizations to adopt an attacker mindset and find ways to make cyber criminals’ jobs as difficult as possible. This means limiting their movements and spotting signs of attack before compromised identities can become privileged and open paths to sensitive assets. A consistent approach to Identity Security rooted in privileged access management can help organizations maintain the visibility and control they need to defend their organizations.

Previous Article
Applications Are Everything and Everywhere – Does Whack-a-Mole Security Work?
Applications Are Everything and Everywhere – Does Whack-a-Mole Security Work?

The SolarWinds digital supply chain attack began by compromising the “heart” of the CI/CD pipeline and succ...

Next Article
New CISO View Insights on Zero Trust
New CISO View Insights on Zero Trust

Credential theft is on the rise, yet attackers are shifting their collective focus to non-traditional user ...