“Attackers Were Inside SolarWinds in January 2019” said CEO Sudhakar Ramakrishna in May 2021. The attackers were in eight months longer than previously believed. SolarWinds’ original timeline put the first signs of infiltration at about September 2019. More recently based on analysis of hundreds of terabytes of data as it pertains to its build systems, the company mentioned that reconnaissance activity started in January 2019.

As an industry, we are not in an enviable situation.

We are currently in an asymmetric warfare against the cyber attackers. Attackers can make repeated attempts, they have no penalty of failure since most of them operate from countries/regions where we don’t have jurisdiction oversight/control. In a nutshell, “we have to be right all the time.. they have to be right only once”.

SRI and Accuknox’s Tech Partnership

As a part of SRI and Accuknox’s tech partnership and investment with Phil Porras, Program Director and Internet Security Group Leader, Computer Science Lab at SRI International, Phil achieved world fame for his seminal research in IDS (Intrusion Detection Service) and pioneering work combating the Conficker worm, which affected over 15 million users in 100+ countries. Phil was a co-author of BLADE, a collaboration between SRI and Georgia Tech researchers designed to prevent drive-by download malware attacks. So, if anyone knows a thing or two about detecting and preventing large-scale attacks, it had to be Phil. Given SolarWinds, a number of Federal Agencies have accelerated their move towards Zero Trust.

Detection of Solar Winds Attack

We conferred with Phil on this subject to discuss how AccuKnox’ ZeroTrust platform could have detected SolarWinds attack and could have reduced the “blast radius”. Phil had some insightful comments that we feel compelled to share with you.

• AccuKnox is based on a modular software architecture that minimizes the use of system privileges, as well as the complexity and size of privileged code modules that are deployed within the client hosts. Privileges are used for sensor telemetry collection and policy controls, and AccuKnox separates all processing, management, and analysis outside this privilege boundary.
• Discretionary access controls are used to isolate the unprivileged modules, and the entire network management backplane is fully authenticated and end-to-end encrypted. The Anomaly Detection and Data Security privileged modules represent less than 5% of code-base, undergoes strict security inspections and software management practices, and are not dynamically modified during minor-revision system updates. The remaining 95% operate with Discretionary Access Control (DAC)-isolated user privilege with no access to client data or services, minimizing the exposure and lateral risks to the client during product operation.
• An equally important aspect of AccuKnox is our commitment to OpenSource. The peer review and the hardening process that is a part of the OpenSource discipline results in Software Quality that is orders of magnitude better than “proprietary software”. This is well elaborated in the article “SolarWinds, the World’s Biggest Security Failure and Open Source’s Better Answer” [4].
• From the SolarWinds blog “Visibility becomes particularly problematic when using an orchestration tool like Docker Swarm or Kubernetes to manage connections between different containers because it can be difficult to tell what is happening.”. The SolarWinds attack demonstrates the dire need for fine-grained application runtime monitoring, threat and anomaly detection, live data-flow governance, and policy enforcement.
• Unfortunately, container runtime security technologies that can monitor and enforce application and data-flow policies in containerized ecosystems are in their nascency and simply do not scale. The SolarWinds attack spotlights the need to enforce the perspective that the “breach has already occurred,” despite the best efforts of image inspection and vulnerability assessment, and that fine-grained container runtime control is a necessity in order to maintain one’s security posture.

Summary

In summary, SolarWinds Windows lateral movement could have been prevented by AccuKnox’ Identity based Kubernetes Security. It would have been detected AccuKnox’ AI-based Anomaly Detection engine. The least privilege principles of KubeArmor & Cilium minimizes attack surface and makes lateral movement very difficult. AccuKnox Data Security module allows organizations to identify unauthorized access to sensitive sources.

Immense thanks to Phil for his contributions to this blog.

Reference

1. Data Breach Today, May 2021

2. FedScoop, Jan 2021

3. NIST — Zero Trust Architecture, Aug 2020

4. SolarWinds, the World’s Biggest Security Failure and Open Source’s Better Answer, The New Stack, Dec 2020

Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.