By Alan Platt, COO and Co-founder, CyberHive. 25 January 2021.                      

Much information has been published already about the highly sophisticated “SolarWinds” cyberattack that was uncovered in December 2020. Attackers managed to access highly secure infrastructure in 18,000 SolarWinds customers, including US government departments, by exploiting a weak link. They compromised the supply chain!

In essence, the attackers didn’t attempt to break through US government cyber defences head on, instead they compromised a company that supplies server administration tools to a wide variety of companies – SolarWinds. The server administrators at the US government then unwittingly deployed malware onto their own servers when they applied a routine software update for their SolarWinds software.

This type of “supply chain” attack is an increasingly common method of attack to gain access to otherwise highly secure infrastructure. It exploits weaknesses that are notoriously hard to protect. The exact mechanics of how the attackers used this malware to infiltrate the secure infrastructure is not the subject of this article – this information has been widely reported elsewhere, however what is less frequently spoken about is how to defend against this and other highly complex and difficult to detect attack vectors.

Traditional cyber defences rely on a wide range of techniques to detect cyber-attacks. Virtually every organisation has an array of tools at their disposal, however many of these suffer from the same underlying problems. Firstly, and most significant, they fail to adequately address the root cause of more than 90% of data breaches – human error.  Secondly, they typically rely on spotting bad patterns of behaviour or code. This can be like trying to spot a needle in a haystack. Set the sensitivity of your defences high enough and you will be forever handing false positives. Desensitise your triggers too much and attacks will get through. Furthermore, sophisticated attacks such as this one inevitably goes under the radar for a long time. Nobody has seen this type of attack before, so we don’t know to look for it. And sadly, someone has to be the first victim. For this reason, data breaches can go unnoticed for long periods – an average of more than 6 months according to some researchers

UK company CyberHive recognised that this was very much an un-solved problem and went about creating an alternative way of detecting cyber-attacks that does not suffer from the same issues. Instead of looking for bad behaviour, CyberHive looks at “known good” behaviour. Using a patented technique ‘hardware backed distributed whitelisting’ to detect unauthorised changes to servers, anything that is outside of the normal will trigger an alert. A properly configured system can detect any changes to software, configuration, even user information. Furthermore, this approach does not suffer from false positives, so sensitivity can always be turned up to maximum to detect even the smallest change.

So how could this have been used to stop the SolarWinds attack?

The first, and best way to have stopped the attack would have been to stop it at its source, i.e., SolarWinds. If we assume that the SolarWinds Update Servers were the target of an attack, as soon as the attackers modified the SolarWinds Update package, CyberHive Trusted Cloud could detect that the file is no longer the same as the authorised version from the developers and flag to SolarWinds that their update server has been hacked. This would prevent the attack before it even started. The modified update packages on the SolarWinds servers would have been detected in seconds and flagged to independent security team who could take action to prevent the attack spreading.

Assuming that Trusted Cloud was not implemented at SolarWinds, use of Trusted Cloud would not have stopped the end users downloading the SolarWinds software update as currently it is a trusted piece of software that can run across the organisations infrastructure. No anomalies would be flagged against a pre-defined whitelist on the companies servers since the update was authorised.

So, would this mean the attackers would have succeeded? No! When the attached piece of Malware that was embedded into the SolarWinds Software Update was remotely activated by the suspected Russian hacking group, the first thing that this malware did was to download a secondary payload (more malware!) to the servers to commence the attack. Trusted Cloud would have immediately detected this unauthorised payload, allowing the Administrators to investigate.

Even if the attackers successfully gained access to the servers running SolarWinds without detection, there are still many other places where CyberHive could have stopped the attack. The attackers aim was to use the initial foothold on the compromised servers to gain off-premise access to cloud resources. The hackers made use of the malware installed on the servers to harvest credentials from the servers and allow the attackers to move through the internal network slowly and carefully from server to server gaining increasingly secure and damaging footholds. Trusted Cloud could have immediately detected changes made to these servers, either as they downloaded malware, or minor configuration changes were made by the attackers as the they tried to secure their footholds. Again, this would have flagged early on that an attack was underway and given the security team enough information to find and stop it.

The other significant protection that CyberHive could have added is use of our advanced ‘Gatekeeper’ access protection service. This software built on Trusted Cloud was initially developed for parts of the UK government and provides unparalleled security for accessing critical systems.

NSA guidance hinted that the attackers ultimate goal in the SolarWinds attach was to generate SAML (Security Assertion Mark-up Language) tokens to forge authentication tokens, allowing access to cloud resources. Gatekeeper could have made this virtually impossible. Gatekeeper provides an ultra-secure Cloud Access Security Broker to restrict access to sensitive data. Any user access to sensitive data requires not only accurate credentials and multi-factor authentication, but also an authorised and secured device to be used to access the data. The device authentication makes use of advanced cryptography, linked to the specific hardware device. It is virtually impossible to forge authentication tokens on any system protected by Gatekeeper. Private keys are stored in hardware inside the TPM chip, making it impossible to extract them from the device, even if the device has been infected with malware. Furthermore, the servers used in implementing the Gatekeeper service are themselves fully protected against attack using Trusted Cloud and will immediately detect any attempted attack.

Finally, any cloud infrastructure is inherently complex, requiring expertise to ensure that basic security protections are in place. Setup of new systems are prone to human error, and a single mistake by a system administrator or DevOps engineer could leave a weakness in the infrastructure waiting to be discovered. There is a myriad of tools provided by Microsoft, and many 3rd parties to help ensure that security configurations have been set up correctly. These have been updated further following learnings from the SolarWinds hack. Penetration Testing specialists can also test an organisations IT infrastructure for vulnerabilities; however, both of these techniques are only able to pick up known issues and vulnerabilities. This is the same problem that any conventional anti-malware software such as Microsoft Defender suffers from. They can only detect known attacks and vulnerabilities, or attacks that follow a similar pattern to previously investigated occurrences. Attackers are creating new methods of attack on a regular basis and we are in an arms-race! Furthermore, any live system can be susceptible to “drift” as the configuration and software changes over time, so the initial security of a service may be compromised at any point without detection. Trusted Cloud works on the assumption that no matter how good your security, the weaknesses still exist. We can detect instantly if any unauthorised changes have been made, no matter how small. If an attacker develops an entirely new and innovative way of breaking through your defences, or even if a system administrator makes a simple mistake and leaves a hole in your security, Trusted Cloud will instantly detect if this is exploited, preventing an attacker from doing any damage.

Of course, no software solution can offer complete protection, and CyberHive Trusted Cloud is no exception. While the Trusted Cloud concept could clearly have been capable of detecting the SolarWinds attack and stopping it in its tracks, unfortunately Trusted Cloud is not yet available for Windows, only Linux, so it limits what it could do today. However, the concepts that we use are equally applicable to Windows – it’s just a matter of engineering time to make the move. Even despite this seemingly large limitation, this method of attack, compromising a part of the IT supply chain rather than a direct attack on the end user, is going to become increasingly common, and is just as applicable to Linux as it is to Windows. Many 3rd party pieces of software are in use already on Linux, for example WordPress websites and associated plugins, well known e-Commerce solutions such as Magento and many other business applications and services.

Protecting against vulnerabilities introduced by 3rd party software and updates is a critical, and largely an unaddressed problem that Trusted Cloud can solve. And with most of the internet-facing services across a vast range of organisations running on Linux, can your organisation afford not to take this technology seriously?

For more information and enquiries, visit; https://cyberhive.com

Or contact [email protected]