SolarWinds shows why we need to move beyond passwords
Mission-critical assets require a deeper level of MFA beyond the usual what you know, what you have, and especially the what you are
The precise details of the SolarWinds attack aren't fully known but what's already clear is the significant impact being felt across organisations. From large enterprises to federal agencies and even well-respected cyber security firms, the compromise of the Orion development environment could turn out to be one of the hacks of the decade.
In many ways, the SolarWinds attack was extremely sophisticated. By injecting malware into a trusted SolarWinds software update the attackers were able to penetrate networks at scale for many months before being detected. Once inside, it appears the attackers were able to intercept identity tokens to gain onward access into better secured areas of some of the target organisations.
In other ways, it seems like the attack may have been enabled by some old school practices, like using a static default password.
Perhaps using an easy to remember password for securing an online disposable account or other non-sensitive service can be forgiven. After all, it's unlikely your online media account will become a target because it's hard to monetise the hack at scale. Having a generic password for a software update server across different client installations is quite another matter; especially an update server that supports thousands of high-security oganisations, including the US departments of Defense and Homeland Security. We can't be sure if the password to gain access to the Orion update server was indeed ‘SolarWinds123' but we sincerely hope it wasn't.
Even if the update server was secured more thoroughly than ‘SolarWinds123', it still appears that usernames and passwords were part of the problem. At the time of writing, SolarWinds' CEO Sudhakar Ramakrishna has just confirmed that its Office 365 environment was breached in order to gain access to employee email accounts and, subsequently, to the Orion development environment.
Ramakrishna said in a blog: "We've confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles."
He continued: "By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment."
Even though this attack was highly sophisticated with attackers covering their tracks by deleting programs after use and choosing file names that made their activity seem like legitimate use, it was probably all enabled by a credentials attack.
At Post-Quantum, our company works on two problems. The first is developing open source algorithms for quantum-safe public key encryption - we want to protect data from the future threat of quantum computing attacks against encryption.
If the point of entry is compromised, the entire platform is compromised
But even with adequate encryption, IT systems are still vulnerable as bad actors target user credentials to gain ‘legitimate' access. If the point of entry is compromised, the entire platform is compromised, no matter how secure the infrastructure and this appears to have happened in the SolarWinds example.
So our second area of focus is replacing passwords with biometrics. Stolen credentials are at the root of circa 80 per cent of attacks today and even with 2FA, a breached Office 365 email account may still have allowed an attacker to gain entry. Adding a second factor is no longer enough, the authentication experience needs to be tied to the individual and not a shared secret, like a password or pin code which is transferable.
Biometric identification is the only way to be sure that the person is who they say they are, not someone who's been lent credentials or an attacker who has managed to compromise your email account.
Biometrics used to be complex, expensive and tied to the secure enclave in the device, which meant the authentication happened locally, without any opportunity for independent corroborative checking. The trust is gone if your phone is compromised or stolen, as sophisticated hackers can potentially re-fingerprint or re-face to replace or bypass what is stored in the secure enclave. Thankfully, these problems have now been solved meaning you can conduct a biometric check from the cloud, hosted by a trusted third party, and the user can choose to login from any device they want.
Imagine if engineers at SolarWinds had been challenged to pass a facial scan and a voice check before they could access Orion
Imagine if engineers at SolarWinds had been challenged to pass a facial scan and a voice check before they could access Orion or if biometric log-in had been required for all the firm's employees to access its Microsoft 365 environment. Whilst we cannot be sure without knowing the exact details, there's a strong possibility this attack wouldn't have been possible. SolarWinds is yet another powerful example of why it's time to move beyond static and transferable credentials for authentication and non-repudiation.
In mission critical and "cannot fail" deployments such as defence, critical national infrastructure or banking platforms, we recommend going further still when engaging with such clients.
Normal MFA is about what you know (password), what you have (device) and what you are (biometrics). Mission critical organisations should go one level deeper for MFA on "what you are" by having multi-biometric checks at the point of entry. If a user has to provide face, voice, iris and haptics to gain entry, a bad actor will likely pursue other lower hanging fruits.
Segregation of duties is another key control that current IAM does not provide, apart from basic software steps to define access rights of operators and supervisors, which a nation state level actor will be able to compromise. A cryptographically based ‘multi-party approval' would have probably helped in the SolarWinds case. In this scenario, a critical software update could not have been initiated unless a quorum of supervisors had given permission for it to be released.
There will be many more examples of serious attacks based on compromised credentials because static shared secrets aren't fit for purpose. Fortunately, there are now options for removing our reliance on passwords, all that's needed is cultural buy-in from security and business leaders.
Andersen Cheng is CEO at Post-Quantum and Nomidio