| What do you do when the solution becomes the problem? |
As part of our Understanding the Threat series, we had intended to take a deeper dive into some of the cascading failures that led to the largest data breaches in history. Breaches such as Starwood, Equifax, and Adobe were not singular failures but rather the result of multiple, sometimes many smaller failures. However, given the week’s news, we think it is more relevant to discuss this week’s headlines. That is because this week saw the disclosure of breaches of the U.S. Treasury and Commerce departments and the alarming notion that a hack of IT management and monitoring software provider SolarWinds facilitated these breaches.
The persistent idea that a perimeter is enough security to protect your most sensitive data, or a nation’s, is just mindboggling. Would you leave all your money on the kitchen table just because you have locks on your doors? Perhaps this is the wake-up call the world needed, maybe not. Either way, it is important to understand what happened to reduce the risk of it happening to you. In this case, the very tools and defenses used to monitor and protect these networks were weaponized against them.
While the exact details are still cloudy, it appears that between March and June of this year, roughly 18,000 customers downloaded the “trojanized” version of SolarWinds Orion platform. In this case, the state actors added malicious code to a SolarWinds dynamic-link library (DLL) installed during the compromised upgrade. When the upgrade was installed, it executed the malicious code, causing the altered DLL to communicate with the hackers’ command-and-control infrastructure, which then received payloads of additional code written by the hackers and commands to run within those now exploited environments.
According to Microsoft, here is what happens:
- While updating the SolarWinds application, the embedded backdoor code loads before the legitimate code executes.
- Organizations are misled into believing that no malicious activity has occurred and that the program or application dependent on the libraries is behaving as expected.
- This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials.
- Once inside the victim’s network, the threat actors elevate privileges to a global admin account or gain access to the victim’s trusted SAML token signing certificate.
- This allows them to impersonate any account or user on the network, including highly privileged accounts.
What does all this mean? In the case of the U.S. Treasury and Commerce departments (so far) and many other private industry companies, it means their “trusted solution” became their threat vector, providing state actors unfettered access to their deepest secrets. More importantly, the SolarWinds exploit exposes the brutal and uncomfortable truth that even trusted IT solutions may be suspect and could expose your most critical and valuable data. But what if there was a way to know something was not quite right? What if this “new” exploited global admin jumped off the screen at the real global admins? And even if all those warnings went unnoticed, what if those bad actors were still unable to get to your data? To some, it seems too good to be true. To Covax Data customers, it sounds like Polymer.
With Polymer, AI-driven user behavior analytics (“UBA”) very likely would have blocked access to critical data, and the chain of custody would have alerted administrators to the attempts. Even if the state actors could fool the UBA, they would have been unable to circumvent the chain of custody and alerts. Additionally, any data that the hackers stole would have come out in the form of data molecules – making it useless outside of the native ecosystem. Simply put, Polymer protects the data – the actual data.
Let us be clear about this; we are not advocating against the security stack or a perimeter and gatekeeper’s concept. What we are advocating is for the understanding that those solutions by themselves are not enough. Not only do we see that those very solutions can be used against you, but they also do little to protect against the threat from within your organization. It is time to be smarter with your critical data assets and fully protect against the full threat spectrum. Polymer owns the Data Layer of the Cyber Security stack and can provide you the security you have been looking for.
Unless we have another week like we just had, in the next post, we will return to looking at some of the largest breaches in history – Equifax, Starwood, and Adobe, to name a few – and now the U.S. Government. The intent will be to discuss the failures that led to those breaches, what can and should be done about them, and how Covax Polymer alleviates many of these failures.
Originally Posted On: December 16, 2020