First Lesson From The Solarwinds Attack – Secure Your Cryptographic Keys

By Yehuda Lindell, Unbound

The meticulously executed attack on SolarWinds last year was a devastating blow to confidence in corporate and government security in the U.S. that has exposed the vulnerability of organisations to conventionally-secured cryptographic keys.

The attack by the entity known as Cozy Bear, led to the penetration of 18,000 of the country’s private networks and government agencies. An official SolarWinds filing with the Securities and Exchange Commission on December 21 2020 estimated that Defense Department, the Department of Homeland Security and the National Nuclear Security Administration were among the government agencies affected.

The attack was so serious the full panoply of national security organizations including the Federal Bureau of Investigation (FBI), and National Security Agency (NSA) swiftly collaborated to launch a full-scale investigation.

What, though, can enterprises immediately learn from what was a classic supply chain attack on a massive scale? This is where one organization is targeted by cyber criminals or state-sponsored groups to gain access to the data or resources of customers’ or partners.

We can start by examining the modus operandi of Cozy Bear. It seems they injected malicious code into SolarWinds’ Orion software, which is a platform for IT infrastructure monitoring and management. The attackers then used it to distribute malware named SUNBURST on updates between March and May 2020. The National Security Agency’s statements also imply there was a breach in the security of token-based authentications in the Orion system.

Despite Orion being a diagnostic tool, the attack remained undetected for more than 10 months. How did that happen?  Firstly, we must remember that March 2020 was when Covid-19 first erupted across Europe and America, causing massive disruption as the tech industry shifted to remote working.

Secondly, the attack’s meticulous planning included code signed by SolarWinds itself, lending the malware an air of legitimacy. Attackers also used temporary file replacement techniques to establish legitimate remote access. Instead of attacking government agencies directly, they targeted FireEye and Microsoft to steal tools and code that would then enable them to compromise their targets from the inside. Microsoft then discovered its own security products were used to attack others, potentially including all customers of the initial 18,000 organizations breached.

The need to secure the cryptographic keys through multi-party computation

Although it is almost impossible to prevent highly resourced, nation-sponsored attacks, organizations are far from powerless. Above all else, the SolarWinds attack highlights the need to protect the cryptographic keys used for code signing – both from theft and from misuse. Organizations must adopt a defense-in-depth approach, securing their systems by avoiding single points of failure throughout their critical infrastructure – particularly when it comes to signing code.

Cryptographic keys need to be protected with careful audit and control at all times. A survey of current technologies reveals the only certain way to achieve is through MPC (Multi-Party Computation) which eliminates single points of failure in management operations and runtime transactions. This is an innovative enterprise-level application of a proven technology developed since the 1980s.

MPC enables the use of cryptographic keys without ever having them in a single place. It is possible to split the secret key into two or more pieces and place them on different servers and devices. Because all the pieces are required in order to get any information about the key, but are never assembled, hackers have to breach all the servers and devices. Strong separation between these devices (e.g., different administrator credentials, environments, and so on), provides a very high level of key protection that would have made life much harder for Cozy Bear.

MPC technology imposes rules so that only legitimate requests to sign sensitive code are enabled. It can, for example, require that only code scanned by malware detection tools is signed or that a request is authorized by relevant persons and so on.

Protection of token-based authentication

An advanced MPC system also helps protect against malicious attacks on an organization’s token-based authentication systems. These attacks compromise the private key that may be used to sign SAML (Security Assertion Markup Language) tokens. Once compromised, the private key is used to forge trusted authentication tokens which may grant access to cloud or other resources.

This is why any enterprise using token-based authentication based on technologies such as SAML, OCID, OAuth, FIDO, or WebAuthn must, in light of the SolarWinds attack, ensure that the private keys used to sign authentication tokens are properly secured against compromise and misuse.

Ringfence the security of cloud cryptography administration

The NSA has also warned organizations to look out for scenarios where attackers gain access to administrative rights so they can add malicious certificate trust to cloud tenants. This again underscores the importance of securing administrative credentials relating to cloud cryptography.

MPC-based solutions lock down these credentials in a virtualized hardware security module so human admins do not perform any cryptography related setup directly on the target cloud environment. This is similar to the well-accepted approach used for secure PAM (privileged account management).

Act now before another attack

The centrality of cryptographic keys to cyber security makes their protection the most urgent priority. The need to deploy MPC technology is the single most obvious lesson from the SolarWinds attack. As if to reinforce the need for action, the London-based email management and security company Mimecast announced on January 12 this year that attackers had compromised a certificate used to authenticate some of its services to Microsoft 365 Exchange.

The full consequences of that attack have yet to unravel, but it has now become a matter of urgency for organizations to learn the lessons of the SolarWinds event. A serious approach to security demands implementation of code signing, lock-down of the cryptographic keys used for authentication and elimination of single points of failure related to key management and prevention of misuse. MPC technology is the only certain way of achieving these immediate requirements. After that, however, organizations also need to acquire effective detection and build it into their deeper, more innovative and effective defenses.