How to use Identity Troubleshooter for diagnosing the problems?
Your ticket time resolution is taking too long, new issues are coming, but you are tied by a pile of incidents that ar...
Or is it? This is what some analysts said after the Solorigate attack.
Why? Because one of the targets was Office 365 infrastructure and because one of the companies affected was Microsoft.
We are still to discover the entire fallout of Solorigate, but for me, it is far from calling cloud security “game over” based on this one.
SolarWinds attack explained
On December 13th, 2020, the announcement came – someone hacked many customers using SolarWinds software in a supply chain attack.
The news was on high alert. Security experts commented on how severe the situation is. Names of important companies and government institutions started to fly around as possible hack targets.
Big names, including Microsoft, were affected, and publicly announced it. Some “experts” claimed - the cloud was hacked, you are all vulnerable.
Weeks later, more details are still being revealed about the so-called “Solorigate” (or “Solarigate”) and its fallout called “Sunburst.”
In my more than 20 years of experience in the security area, it might be the most significant event that will impact how we think about security for years to come. It raises a set of questions that we all should answer:
Here’s my take, based on what is known at the moment, our experience as a company, and my humble, biased opinion and experience.
If you are interested in the technical steps to follow, scroll directly to the last section, but I hope you will go through the entire flow with me here.
Step #1 – DO NOT PANIC!
I will tell you a secret right now. It is an answer to one of the interview questions I ask during recruitment for our cyber-security team. The question is:
“What would you advise the customer to do first when they discover that they are under attack?”
It is the rule to master all other practices in response to the cyber-attack playbook.
First – let’s get the facts and what we know. If you have not followed Solorigate, it will bring you up to speed; if you have, skip this part, or use it as a refresher.
I have oversimplified the process, I know.
If you are interested in an in-depth analysis of the technical side of the attack, here are two sources to follow:
The difference between Solorigate and NotPetya? The latter aimed to be destructive, whereas the goal of the former was to stay undetected and extract information.
If you want to know more about what’s going on in the cybersecurity business (and what are the biggest trends for the future), check out the video below:
Interested in cybersecurity? Watch the video to find out the biggest trends for the next few years!
Step #2 – You are calm, now what?
What you should get out of the incident for yourself and your company:
The answer is simple – NO! Look, big organizations worldwide could not do it with all their skills and resources. Microsoft was hacked. All kinds of government agencies were hacked, major security providers were hacked!
Without specialized knowledge and resources, you could not do it now, and you will not be able to do it in the future. Period.
Anyone with advice such as: “You should analyze your supply chain to detect it in the future” should answer your single question:
“How can I practically do it with my resources, skills, and not being a cybersecurity company but doing my own business?”
Ask especially if they offer some magic software to detect threats like this in the future.
If you get the answers to such questions from either a vendor or consulting, please let me know in the comments.
If you can’t prevent it, then what?
These are the real questions you should ask yourself now.
My take – be prepared to react and contain it. If it happened twice (counting NotPetya), it would happen again. In case it happens, you are interested in answering two questions:
How to know if you are affected? You need to know your state of possession (what you are running, where, what version) and have a quick way to assess:
A good way to start is this:
Invest the most in these two elements:
Make fair use of tools you already have and track what’s new in them – make sure they are deployed, up to date, and you understand what you can get from them.
In the case of attacks like Solorigate, it is more about being prepared and moving than technical prevention against everything upfront.
First, let’s get the facts straight.
The Solorigate hack used the on-premises infrastructure to unfold. The cloud version is used to access the AD FS private key, which allows an attacker to forge tickets accepted by the cloud service (it might be a good reason for you to get rid of AD FS – reduce the complexity).
Second, when Solorigate hit, the cloud service users got the fastest response.
What works to your advantage as a cloud user?
The cloud service provider has a stake in the game. They need to clear the incident and fix it to keep their customers (best benefit ever). They also have the skills and resources to know what is happening, analyze it and provide detection and remediation.
Plus, detection and remediation are the same for every environment. All Office 365 or Azure users use the same service. If there is something on the service side to be verified or changed – it is the same solution for everyone.
Think about it as the iPhone vs Android model. Instead of myriads of versions and devices (Android) to get updates, iPhone users get the same update on all devices. Deployment and adoption are way higher for iPhone updates than Android users.
One thing is for sure – whoever did this has the skills and resources. They will do it again, and they will succeed, and it will be done in some new way, which will most likely go undetected.
When it is detected, cloud service users will get detection and response capabilities first because of:
In this game, my bet is on the cloud team!
That’s all nice, but what can you do PRACTICALLY now to handle the situation?
Now let’s put some meat on the bones as to what you can do to verify if you are affected, or to detect this attack in your network (or similar).
Here’s a quick list that might be applicable for you if you are a Microsoft stack user:
Please pass it on to your team. It is part of making use of what you already have.
If you don’t know how to do it or need advice, you know whom to call.
And it is not Ghostbusters!
No, really. If you need help, just get in touch.
Read other similar articles