The world first learned of the SolarWinds supply chain attack in December 2020. By April 2021, U.S. intelligence agencies attributed the attack to an arm of Russian state intelligence known as SVR. The same agencies issued a joint advisory with NCSC (UK National Cyber Security Centre) citing a broader campaign by SVR actors to obtain credentials through vulnerabilities not involving SolarWinds products.

This new advisory makes clear that SolarWinds was just one part of a broader campaign, and environments free of SolarWinds are not out of the woods as it relates to this attack. What's more, we should expect to learn more about new initial attack vectors as the investigation unfolds.

For security organizations and incident response teams, this event has revealed an urgent need for smarter sensors—ones capable of detecting novel attacks sooner—and has renewed attention on next-generation, cyber-resilient capabilities with digital identity as a key enabler.

New types of attack now require new types of sensors

There is growing recognition that new types of sensors are needed—sensors that do not rely on event-specific indicators of compromise (IOCs) like virus signatures, file hashes, IP addresses and domain names. As trailing indicators, these IOCs are available after a compromise has been detected and analyzed by others. By the time they are in place, an attack on a vulnerable environment may be underway.

Novel attacks like SolarWinds are more likely to avoid detection for longer. Highly sophisticated threat actors are working methodically in large teams (according to Microsoft) with access to significant resources to develop better methods for evading defenses and hiding their tracks.

As seen in the graphic below (Figure 1), modern cyber defense tactics urge an organization to take command of detect, respond and recover. This shift requires a conscious effort to focus more on cyber-resilient capabilities, which often see less investment and tend to be less mature.

Organizations should match the level of sophistication being directed at evasion with equally savvy capabilities to detect attacks sooner. This enables them to discover the earliest indications of an attack, quickly identify the compromised assets and formulate a cohesive response from the earliest point possible.

<<< Start >>>

Figure 1: Focus on resilient capabilities

<<< End >>>

Identity as a smarter sensor

Identity and access management (IAM) is extremely well-suited to provide the next generation of smarter sensors. Since identity has unique visibility to the data used to establish trust, it 'owns' many of the administrative and runtime controls for defining and enforcing access policies (see Figure 2). These include:

  • Access baselines identifying who should have access to what.
  • A complete, historical accounting of how access was authorized and acquired over time.
  • Authoritative identity data for authenticating known users, devices and workloads.
  • Metadata for describing users and permissions that drives lifecycle automation.
  • Rules that govern the right-sized allocation of access and its business-appropriate use.

<<< Start >>>

Figure 2: Identity scope of control

<<< End >>>

Many of the controls owned by IAM are implemented at points of access, including:

  • Access gateways, proxies and agents that enforce access control decisions.
  • Trust controls that evaluate context and risk associated with each authentication request.
  • Policy controls that evaluate context and risk associated with each authorization request.

IAM owns the controls that determine what 'good' access looks like throughout the environment, most importantly as it relates to critical infrastructure and privileged access. These controls include:

  • Account discovery processes to detect the creation of rogue accounts or the existence of accounts that become orphaned due to lifecycle changes.
  • "Drift" controls that detect and correct deviations from access baselines that may include illegitimate elevation of privileges.
  • Organizational, functional, policy or role-based methods to define the appropriate assignment of access.
  • Certification controls to improve ongoing business accountability related to appropriate access.
  • Just-in-time access controls to mitigate risk associated with standing privileged access.

Finally, IAM provides the insight needed to answer these key questions:

  • What is the last known good state of access throughout the environment?
  • What are the guardrails for normal activity?
  • How do we distinguish legitimate activity from illegitimate activity?
Identity threat indicators for detecting abuse of privileged access

The following table provides guidance for deriving threat indicators from existing identity intelligence that may be used to detect threats related to the abuse of privileged access.

Threat ID Attack Technique Indicator Why Important Related MITRE ATT&CK® Techniques Implementation Pre-requisites Data Sources
PAM01

Compromised service account

Look for interactive log-on attempts using a non-interactive service account.

Adversaries may obtain credentials for existing service accounts as a means of gaining initial access, persistence, privilege escalation or defense evasion. Credentials may be used to bypass network access controls or to maintain access to externally accessible systems or services.

 

T1078 Valid Accounts

Service accounts are reserved for use by service principals.

Service accounts are configured with "Log on as a service" group policy object (GPO) setting.

Authentication logs

Privileged/Service account inventory

PAM02

Compromised orphaned (privileged) account

Look for use of privileged accounts that are missing delegates or owners.

Privileged accounts become orphaned when delegates leave or transfer within an organization, leaving the account without a delegate or owner. Adversaries may take over such accounts and exploit them for malicious use.

T1078 Valid Accounts

Maintain a record of privileged account delegates or owners and renew information through changes in ownership.

Implement account discovery processes to detect orphaned accounts and flag them for additional review or treatment.

Network activity logs, system access logs or Security Information and Event Management (SIEM) system

Privileged session manager

Privileged account inventory

Access governance system

PAM03

Compromised network-bound (privileged) account

Look for attempted use of privileged accounts outside of isolated networks or zones.

Adversaries may obtain credentials for existing privileged accounts that have restrictions on their use within isolated networks or zones.

T1599 Network Boundary Bridging

Policies are in place to enforce network-bounded use of privileged accounts through access control lists (ACL), virtual local area networks (VLAN) and other network access control points.

Network activity logs, system access logs or SIEM system

Privileged session manager

Privileged account inventory

PAM04

Shadow privileged account creation

Discover shadow privileged accounts based on account permissions. (Shadow privileged accounts have elevated privileges without being members of a privileged group.)

Account permissions may include a combination of direct assignments and indirect assignments (acquired through deeply nested groups or inheritance).

Adversaries may create a shadow privileged account by directly assigning permissions to that account using ACLs on active directory (AD) objects. Other methods for creating shadow privileges includes acquisition of permissions through indirect means (e.g., through deeply nested groups or inheritance).

T1136 Create Account

Privileged permission management processes are in place to flag sensitive ACL assignments.

Implement a shadow privileged account discovery process that analyzes both ACL and group assignments.

 

Privileged account inventory

Account discovery (or reconciliation) tool

Directory or permission management system

PAM05

Circumvent access governance mechanisms for privileged accounts

Look for creation of privileged accounts that are missing evidence of approvals.

Adversaries may obtain sufficient levels of access to provision rogue privileged accounts, allowing them to circumvent any access governance mechanisms that may be in place to help ensure auditability and accountability for all privileged account creations.

T1136 Create Account

Maintain inventory of all privileged accounts.

Maintain audit trail of all approvals for privileged account creation requests.

Implement account discovery process to detect privileged accounts created outside of centrally approved, administration processes.

Privileged account inventory

Access request or access governance system

PAM06

Privileged credential leaked from password vault

Look for use of privileged credentials without evidence of a matching vault checkout.

Look for vault checkouts logged without a valid business reason or change/incident ticket.

Look for activity that indicates file read events or searches for privileged accounts or credentials kept in a vault or other password store.

Adversaries may obtain privileged credentials from a compromised vault or other password store. Once credentials are obtained, they may be used to perform lateral movement or to execute tasks reserved for privileged users.

T1555 Credentials from Password Stores

Inventory of vaulted accounts used for activity correlation.

Monitor vault checkout events.

Ability to confirm legitimacy of change/incident ticket connected to use of privileged account.

 

Authentication logs

Network activity logs, system access logs SIEM system

Credential vault

Privileged account inventory

Incident management system

 

PAM07

Circumvent credential rotation mechanism

Look for a vaulted credential that is delayed rotating within its promised interval per corporate policy.

Look for modifications to configurations related to credential rotation.

 

 

Adversaries may obtain privileged credentials and circumvent or disable the mechanisms that force rotation of the credential within promised intervals to extend its malicious use.

T1556 Modify Authentication Process

Implement risk-based credential management policies that require periodic rotation of privileged credentials within pre-defined intervals.

Monitor Privileged Access Management (PAM) system configurations and module paths for configuration changes related to credential rotation.

Privileged access management system

Credential vault

Password change logs

PAM08

Privilege management server access

Look for remote access to privilege management servers or administrative interface.

Look for suspicious authentication events or activity connected to privilege management servers or administrative interfaces.

Adversaries may obtain access to a privilege management server or administrative interface to create or manipulate elevated privileges or privilege assignments.

T1068 Exploitation for Privilege Escalation

Monitor access to privilege management servers and administrative interfaces.

Flag privilege management tasks that require finer levels of monitoring and reporting.

Network activity logs, system access logs or SIEM system

 

The SolarWinds attack is a singular, perhaps once-in-a-generation, cyber event that reveals the monumental challenge of defending organizations against ever-evolving threats and increasingly sophisticated adversaries. It should be viewed by security teams and business leaders alike as another opportunity to elevate the discussion on cyber preparedness and resiliency and to motivate organizational action.

As members of the security community, we should continue to track the SolarWinds attack, which remains an active threat, and work together to develop and promote the next-generation IAM capabilities essential to future threat responses.

For more information, please visit www.accenture.com/digitalidentity.

Special thanks to my Digital Identity colleagues, Sunil Patel, Peter Wiebe, Sebouh Arakelian, Amaar Malik, Pavel Nikolaev and Damon McDougald for their collaboration and contribution to this blog post.

 

 

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.

Joshua Lee

Senior Manager – Accenture Security, Digital Identity Strategist

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog