Cybersecurity supply chain attacks can be devastating for governments, companies, and even individuals looking to keep their data secure. We recently discovered how chilling this type of attack can be after SolarWinds was hacked and, as a result, about 18,000 organizations were compromised causing billions, if not trillions, of dollars of damage.
The bad news is that nobody is 100 percent safe. The good news is that there is technology that can defend against an assault like this using 3 layers.
Before we get into the tech, we need to understand how the hack works.
What is a cybersecurity supply chain attack?
Simply put, a supply chain attack is carried out by bad actors (also called an “advanced persistent threat”) finding and hacking the weakest security point in the network in order to gain access into the larger ecosystem of applications which hold more important private information.
Because there is such a variety of technologies and tools from various companies used within a technology supply chain, it is extremely difficult to protect every attack vector within an organization.
In the case of SolarWinds, there were multiple attacks, which, if properly secured with the right technology, would have been stopped before they started.
So what did the hackers do exactly?
How SolarWinds was hacked and how it could have been stopped
According to the various reports, there were two main offensives: The first was a brute force attack on a server protected by only a simple password. The second was a stolen encryption key used to bypass multi-factor authentication.
Attack #1: SolarWinds Orion
In the first attack, the hackers gained access to a server used for customer updates, by guessing the weak password. They managed to then find a specific file, alter it, and have it sent back to over 18,000 customers (who use SolarWinds Orion) as an update with the malicious code that allowed them to exfiltrate data from all those customer servers.
Attack #2: Duo Multi-Factor Authentication
In a second attack, noted in this ArsTechnica article, the hackers gained access to a specific secret (called an “akey”) which enabled them to create authorized tokens that bypassed the Duo multi-factor authentication system and helped them gain access to email inboxes.
Now that we know more about the methods used to gain access to the system, we can dive into the security measures that could defend against them.
Preventing these hacks with Secrets Management
When thinking about the SolarWinds attack, we can see how there are some basic, as well as advanced, tactics that can be used to thwart such attacks. The real prevention is powered by good secrets management tools and practices.
A secrets management system enables you to store, protect, rotate, and dynamically create credentials, certificates, and encryption keys.
A mature secrets management platform would support several use cases, including managing static secrets or dynamic credentials, certificate automation, encryption and digital signing, as well as zero-trust application access that secures remote access to internal resources.
Here are 3 main features of secrets management that could have directly prevent this hack from happening:
Passwords are sometimes a trivial issue for hackers, but if you are an enterprise, there are some basic practices that would make this a much more difficult task for hackers to complete. The first is the use of password rotation that would enforce strict rules on password complexity. It would also have the capability to rotate secrets (such as passwords or other credentials) according to policies. Moreover, dynamic secrets, which are temporary, on-demand credentials that provide just-in-time access would be an even better option as they expire after a given period of time.
Once they penetrated the system, the hackers were able to access the files within. Assuming they got into the system and managed to manipulate a file within the system, there is another layer of security that can be enforced - code signing.
With code signing, a script or executable file must be digitally verified. This occurs with the help of cryptographic technology that is proven and accepted. If the file isn’t signed and authorized, it will be rejected by the system and not executed. This could have rendered the Orion hack useless as customers of SolarWinds wouldn’t have installed the update if not verified.
Some secrets management systems include capabilities of storing encryption keys and using them for digital signing functions, by using SDKs for multiple languages.
Next-gen Encryption Key Management
The final piece of the puzzle, which might be the most important one, is the Duo encryption key that was stolen. Being that the encryption key was located on the server is a problem in itself, as that should be behind a secrets management platform. However, if the proper technology was applied here, the hackers would not be able to complete their task nearly as easily.
What does that mean? Using our patented Distributed Fragments Cryptography (DFC), there are multiple fragments of a single encryption key that are each created independently and stored in different locations. In other words, your encryption keys never exist as a whole. Instead, they are created as fragments on different regions and cloud providers and never combined, not even during the encryption/signing process itself. To make sure that you are the exclusive owner of your keys, one of the fragments is also created on your side, and cannot even be accessed by us, the vendor.
Therefore, if this type of technology was implemented, the attacker may have found a local fragment of a key, but would never know where to find the other pieces.
Putting it all together
In the case of the SolarWinds hacks, and many others like it, there is a way to ensure that no data, or only a minimal amount of data, is stolen by hackers. It all depends on the tools and security practices. By using a secrets management platform, like Akeyless Vault, that brings together password rotation, code signing, and distributed fragments cryptography, enterprises can at least ensure these types of attacks will not cause them headaches in the future.