The recent public disclosure regarding SolarWinds’ software being leveraged by advanced attackers, as well as FireEye’s disclosure of stolen red teaming tools, does not change the approach CrowdStrike guides enterprises to follow: Minimize the attack surface, detect and respond quickly, and mitigate an incident so it doesn’t turn into a breach. What has changed is that identity-centric attacks have become an integral element of breaches, including in the ones the industry saw this week.
Malicious actors now favor identity-centric attacks because using legitimate credentials is a generic method, much harder to detect and usable at an operational cost that is significantly lower than other types of attacks such as zero-days and custom supply-chain attacks. Compromised credentials can be used to access resources — including employee credentials, privileged users, and service accounts. Thus, even a well-designed IT environment implementing appropriate role-based access controls can fall victim to the weaknesses posed by reliance on credentials without real-time contextual identity. Residual trust among services and role-based access-control assignments leave resources vulnerable if identity is not verified in a meaningful way that goes beyond mere credentials.
SolarWinds Sunburst: Real-Time Lateral Movement Detection and Prevention
The SolarWinds supply chain attack, while initiated via a trojanized software update, relied on lateral movement for subsequent actions on mission execution. Lateral movement that leveraged a valid credential was preferred, as it was considered a “lighter” footprint approach to get access into the victim’s environment. In fact, after the attackers had gained entry into the victim’s network, the attack used multiple credentials to make it even more difficult to detect. Since lateral movement
can occur very quickly, any logs or post-analysis alone would have been too slow to alert a security analyst to mitigate the breach. While the threat actors could have gained access to the network through the malicious code, they would have been detected as they attempted to navigate the network.
An identity-centric approach, as would be required to disrupt these recent attacks, uses a combination of real-time authentication traffic analysis and machine learning (ML) analytics to quickly determine and respond to an identity attack being attempted or already in progress. Other attacks this approach can detect and stop that also leverage lateral movement include ransomware attacks such as the recent Maze ransomware. Furthermore, since attacks — especially slower, multi-credential attacks — may not be obviously flagged as malicious, combining a self-adapting policy mechanism is required to automatically trigger risk-based conditional access to verify the legitimacy of an authentication transaction in real time.
Detecting and Responding to Identity-specific Attack Tools
To ensure enterprises stay protected, CrowdStrike has updated relevant host names, IP addresses, URLs, binary hashes, registry keys, and other indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) to various databases, including tagging such binaries and command-and-control (C2) hostnames as malicious. Some of the tools stolen in the FireEye breach that should be detected, if used by a malicious actor, include:
- Active Directory reconnaissance and exploitation
- Credential dumping and stealing
- Kerberos abuse and Kerberos exploitation
- The specific open-source tools cited, including SharpHound, ADPassHunt and others
CrowdStrike® customers using the Falcon Identity Protection solutions are already protected from the recent attacks in three ways.
They are:
- Proactively protected by the ability to reduce the attack surface with better IT hygiene through the understanding of protocol vulnerabilities (e.g., NTLM), identification of stale privileged accounts, mapping of all service accounts, and other exposures of the identity store
- Able to mitigate an attack in progress by detecting, in real time, identity-based attack vectors, including the lateral movement techniques used with victims of the SolarWinds breach
- Protected by an automated response of the use of identity-specific attacks, including some of the attack testing tools that were stolen as part of the FireEye breach
In addition, CrowdStrike customers already have several capabilities to help defend against the recently disclosed SolarWinds incident:
- Use CrowdStrike Threat Graph® to identify affected hosts:
- The new SolarWinds Vulnerability Dashboard identifies hosts with IOCs related to the SolarWinds vulnerability, including a look-back ability to see which devices have written the compromised files in the last 90 days.
- The Indicator Graph allows customers to determine whether there has been evidence of affected files and hosts in the past year.
- The new SolarWinds Vulnerability Dashboard identifies hosts with IOCs related to the SolarWinds vulnerability, including a look-back ability to see which devices have written the compromised files in the last 90 days.
- Identify new incidents with specific ML detections:
- Customers will see detections for IOCs related to the SolarWinds vulnerability on hosts with the Cloud ML detection option enabled.
These recent incidents highlight the value of an identity-centric approach to security. CrowdStrike recognizes that security is not always the core business of its customers, but that is why we make it our core business to help protect them.
Kudos to FireEye
I would like to acknowledge the information disclosure and transparency from FireEye. FireEye has provided significant information that organizations and defenders can use to protect themselves and their organizations from the tools that were stolen. This information is available on the FireEye blog. We are all fighting against the same adversaries, FireEye should be applauded for its speed in releasing information about the cyberattack and the sharing of countermeasures. For further information on the SolarWinds cyberattack, SolarWinds has
published a security advisory on the incident and it has detailed recommendations related to the use of the SolarWinds Orion Platform.
Additional Resources
- Visit the CrowdStrike Falcon® Identity Protection solutions webpage.
- Request a demo of CrowdStrike Falcon Zero Trust or Falcon Identity Threat Detection products.
- Learn about CrowdStrike’s comprehensive next-gen endpoint and cloud workload security platform by visitin the Falcon products webpage.
- Read expert insights and analysis on other complex threats — download the CrowdStrike 2020 Global Threat Report
- Test CrowdStrike next-gen AV for yourself: