Long time ago, Microsoft admitted that “game is over, if an attacker is landed inside your Active Directory” (“Mitigating Pass-the-Hash and Other Credential Theft”, version 2) by putting the following statement :
“Assuming breach requires a shift in mindset from prevention alone to containment after breach”
Meaning that no security software will help you since that moment. With this statement Microsoft team accepted that 0-Days vulnerabilities and exploits will continue to appear in future. What lessons security architects and experts may learn from Sunburst/Solarwind case? Probably the statement may be expanded to a wider scope:
“Assuming ongoing breach executed in an unidentified past requires a shift in mindset from prevention to continuous containment”.
What if the breach was already happened but we dont know about it now? Cyber-Security vendors now start offering solutions that includes new paradigm :
- Breach Prediction and Threat Intelligence that monitors threat actors in dark net, vulnerabilities and tactics they are going to use. This will allow to identify potential targets and the weaknesses that will be exploited.
- Breach Detection and Response with security controls that will continue to perform even in containment phase (i.e. “game is over”). Make Malware/RAT/APT operators to move in a wrong direction, take “wrong” things, while leaving more Indicator of Compromise and evidences in IT infrastructure.
Sunburst/Solarwind and One-Time-Password MFA bypass
Sunburst attack demonstrated that once malware activated inside Network it was possible to bypass DUO Multi-Factor Authentication, since by design – secret key used in OTP generator should be saved on Server and Client. By intercepting data flows and stealing credentials inside network, malware may retrieve this key and generate OTP codes like authenticated user. Usually MFA threat modeling doesn’t include a complete system compromise of a terminal server, mail server or domain controller in Active Directory . The level of access the Malware achieved was enough to bypass any defense.
Sunburst/Solarwind security controls, time and place identification
Most malware now check target systems to detect if security controls are installed to avoid activation if it is too danger. Malware also may stay for a longer time without activation. Malware exploit Cyber Security Vendors identification to automate “persistence”, since today information security controls are quite predictable, template-based technology, policies and tactics by design. In case with Sunburst/Solarwind hask, the Malware (Trojans and APT) delivered to each target uses the following techniques to identify the probability of compromise:
- If malware analysis tools present in memory (like debugger)
- If current host is located in specific location by IP address
- If virtual environment/sand-boxing is used.
- If specific registry keys and files present/absent on host.
Strategies for protecting against two-factor authentication vulnerabilities
In theory two-factor authentication like any other software may have unknown vulnerabilities. Sometimes weaknesses appears only in specific 2FA/MFA configuration or in configuration of inter-depended system (for example Windows Active Directory or cloud push service, SMS service provider, used hardware). Usually this happens when attackers goes beyond the assumptions of software engineers, architects or system designers. Malware creators often think out of the box and review much wider scope for misuse case modeling. Depending on the results of your Threat modeling (where the breach may happen) and Risk Analysis (what are the hackers may came for?) one of the following strategy may be added to your security policy.
Redundancy and multi-layer security:
- User Behavior Analysis and Monitoring solutions may be used as post-security control during after-the-breach stage.
- Configuration files monitoring tools;
- Use 3rd party Security Operation Center service monitoring for critical servers.
Another strategy for the after-the-breach stage is “Security through obscurity”:
- Home-made configurations and tools: Network Honeypots, Host-based honeypots (for example filesystem objects), Pre-fabricated Documents, Databases and networks,
- Malware analysis tools installed on host (such as debuggers);
- Choosing small vendors and not so well-known alternative of 2FA software (for example Rohos Logon Key, or less known alternative of LastPass password manager);
Put a question for the team : How would you design or harden your facilities if you know The Invisible Man may appear inside at any room, any time, to take something ?