The SolarWinds supply chain attack against the US Government was the largest and most sophisticated breach in history. But despite nation-state's efforts to conceal their tactics, they left some highly-valuable clues about their methods that could be leveraged to sharpen supply chain attack defenses.
Reinforcing Privileged Access Management security could prevent supply chain attacks and improve compliance with Joe Biden's Cybersecurity Executive Order.
What is Privileged Access Management?
Privileged Access Management (PAM) is the process of monitoring and controlling users that have the authority to access sensitive business resources.
The goal of a cyber attack is to access sensitive data. Because only privileged accounts have access to this data, they are notoriously targeted by cybercriminals.
Compromised privileged accounts make data breaches possible. When a threat actor exploits privileged credentials, they have unmitigated access to sensitive business data.
Privileged accounts are not only compromised by criminals, they're also abused by insider threats.
Privileged Access Management is different to Access Control and Identity Access Management (IAM) in that PAM only focuses on securing administrative access of privileged users rather than authenticating and authorizing all user access.
PAM is also known as Privileged Account Management, Privileged Identity Management, and Privileged Session Management. Despite the slight nuances of each framework, the end-goal is the same - to secure and protect all accounts that have access to sensitive data.
Can Privileged Access Management Prevent Supply Chain Attacks?
No cybersecurity method is guaranteed to prevent supply chain attacks, however, reinforcing Privileged Access security could mitigate the risk of a successful attack.
This is because all supply chain attack strategies tend to follow the same 3 stage attack pattern:
- Stage 1: Attempt to steal internal login credentials of third-party software staff.
- Stage 2: Use these credentials to log into the internal network and identify privilege access accounts.
- Stage 3: Exercise privilege escalation to access sensitive data through privilege access accounts.
This attack trajectory is known as the Privileged Pathway, summarized in the below graphic:
Nation-state criminals followed this sequence to compromise the SolarWinds Orion software.
Armed with this intelligence, the solution to protecting your digital supply chain attacks becomes obvious - disarm attackers by disrupting this attack sequence.
By strategically applying security tools and tactics, this is possible. But defense tactics will only be effective if they're applied to a solid Privileged Access Management foundation
How to Design a Privileged Access Management Framework
The design of an effective Privileged Access Management framework begins by focusing on processes before any security tools are applied. Only after all processes have been firmly established, should security tools be introduced.
Security solutions are designed to support processes, not replace them. This hierarchy will empower organizations to clearly outline their security requirements first. This information can then be used to create a set of qualifications for the right tools.
There are 4 primary pillars of a reliable PAM framework.
PAM Pillar 1: Discover and monitor all privileged accounts
All privileged accounts within an organization need to be identified. Flexible workplaces with remote workers need to take greater care to ensure all dispersed endpoints are accounted for.
Privileges user access activity is highly volatile, new users are continuously being added and the access requirements of old users are always changing
The process discovery and monitoring should be ongoing to avoid the exploitation of overlooked privileged access accounts.
PAM Pillar 2: Secure all privileged accounts
With all privilege accounts identified, they can now be secured. The best method of security is to assign each user the minimal access requirements they need, don't grant access to resources unless it's absolutely necessary
The just-in-time access framework helps enforce time-based limitations. JIT access places an expiry date on each account so that access is only granted when it is needed, for the length of time it is needed, NO LONGER.
The Principal of Least Privilege (POLP) is another effective limitation framework that ensures each user is assigned the minimum access levels they need.
PAM Pillar 3: Track all privileged access activity
Privileged accounts can only be effectively managed if they are meticulously tracked. A baseline for normal privileged activity should be established to contrast suspicious events.
All tracked privileged access activity should be recorded to assist investigations in the event of a data breach.
PAM Pillar 4: Automate privileged management
Like all cybersecurity efforts, a PAM framework needs to be scalable.
Automation will assist with the volatility of privilege access requirements and improve the reliability of the entire framework by removing the human errors that often result from repetitive tasks.
How to Implement a Privilege Management Access Framework
To mitigate supply chain attacks, defense mechanisms need to be placed along the Privilege Pathway commonly traversed by cybercriminals.
Two lines of defense should be established - one outside of the ecosystem and the other within.
Defense line 1: Outside the Ecosystem
This initial line of defense should be the primary cyber defense effort since cyber threats are much harder to intercept after they've been injected.
Such an outward focus is only possible if defense methodologies are proactive, as opposed to static and reactive.
Instead of waiting for external threats to test perimeter defenses, all vulnerabilities should be discovered and preemptively remediated before they're exploited by cybercriminals.
There are 5 proactive defense methods that could prevent supply chain attackers from infecting critical systems.
1. Educate staff
Staff are usually the first targets in the crosshairs of cyberattackers because they can be used as gateways into an ecosystem.
Every individual in an organization needs to be aware of the common tactics used by cybercriminals to avoid being compromised.
Each of the following common attack methods links to a post that can be used for cybercrime awareness training:
- Phishing attacks
- Social Engineering Attacks
- DDoS attacks
- Ransomware attacks
- Malware attacks
- Clickjacking attacks
As an additional safety net, Multi-Factor authentication should be implemented, This will both stall and surface security breach attempts when staff members fall victim to criminal trickery.
Perimeter penetration is the first stop of the Privilege Pathway. By preventing staff from being used as attack vectors, a significant percentage of supply chain attacks will be avoided.
2. Implement a Zero Trust Architecture
A Zero Trust Architecture (ZTA) assumes all network traffic is malicious. This pessimistic mindset forces internal systems and staff to remain focused on surfacing and remediating potential threats.
A Zero Trust Architecture is deployed in 7 stages:
- Stage 1: Identify all users
- Stage 2: Identify enterprise assets
- Stage 3: Identify all network processes
- Stage 4: Draft ZTA policies
- Stage 5: Produce Zero trust solutions
- Stage 6: Deploy Zero trust solutions
- Stage 7: Scale the Zero trust framework
Read this post to learn how to deploy a Zero Trust Architecture.
3. Monitor vendor network for vulnerabilities
In a supply chain attack, organizations are breached through compromised vendors. To mitigate the risk of such incidents, third-party security efforts should be continuously monitored and scrutinized.
Third-party attack surface monitoring solutions, such as Vendor risk, help organizations remain aware of all vulnerabilities within their vendor network.
By surfacing and remediating these vulnerabilities before they are discovered by cyberattackers, the risk of supply chain attackers is reduced.
Organizations with a substantial vendor network can entrust the complete scope of Third-Party Risk Management to expert analysts to scale their Privileged Access Management security most efficiently.
4. Detect and remediate data leaks
A data leak is an unintentional exposure of sensitive data, if these leaks are discovered by cybercriminals, that could be used to launch a successful supply chain attack.
Most organizations are unaware of the dangerous data leaks placing them at a heightened risk of a data breach. They are even less aware of the data leaks placing their vendors at risk of a breach.
If a data leak is detected and remediated before it's discovered by cybercriminals, it will not have a chance to develop into a data breach.
The early discovery of a leak could, therefore, prevent a supply chain attack.
Conventional solutions only monitor for data leaks internally. By overlooking the third-party network, the vulnerabilities that are exploited in supply chain attacks aren't being remediated.
UpGuard rectifies this displaced focus by monitoring for data leaks both internally, and throughout the vendor network.
This monitoring and remediation effort can also be entrusted to a team of expert analysts to scale Privileged Access Management security most efficiently.
5. Apply least privilege policies at all endpoints
Cyberattack awareness training, coupled with least privilege policies for all user accounts, will dramatically reduce the chances of threat injection.
If a staff member unintentionally introduces a threat into the ecosystem, it could be blocked from accessing sensitive resources if least privileged policies are in place.
An Identity and Access Management (IAM) protocol will help you efficiently deploy, track and maintain all endpoint policies.
To overcome the logistical difficulties of endpoint security management across a variety of operating systems, Active Directory Bridging solutions should be implemented.
Active Directory (AD) Bridging solutions centralize the management of all endpoint security policies into a single solution.
Microsoft Kerberos is an example of an AD bridging solution that can extend its authentication policies across Unix, Linux, and Mac devices.
Defense line 2: Inside the ecosystem
Should a threat penetrate the first line of defense, sensitive data resources can still be protected if the right internal defense mechanisms are in place.
Here are 3 internal cyber defense options. To maximize potency, all of these mechanisms should operate in parallel.
1. Implement an Identity Access Management solution
The integration of a PAM and IAM solution creates a multi-layered access security framework that could prevent threats from penetrative sensitive resources.
There are multiple security and administrative benefits of an IAM solution.
An IAM empowers organizations to:
- Manage access privileges for hundreds, or even, thousands of user accounts.
- Secure their PAM solution with Multi-Factor authentication (MFA).
- Prevent overlooked privileged access accounts by automatically terminating access when an employee leaves.
- Ensure Privilege access accounts are activated for privileged users on day 1 to support productivity.
- Create a positive user experience by offering a single interface to manage all user account types.
2. Monitor privileged access account activity
Administrative account activity should be continuously monitored to surface and report anomalies as quickly as possible.
Such obsessive monitoring habits are a natural result of implementing a Zero Trust architecture.
A baseline of admin account activity needs to be established first to accurately surface suspicious movements.
3. Encrypt all internal data.
All internal data should be encrypted, not just critical asset data. When a threat is injected into an ecosystem, it moves laterally throughout the network seeking privileged accounts to target.
The pathway to these accounts could be obfuscated with encryption efforts.
Encryption at rest is a commonly adopted encryption method, preferenced for its affordability. This method only encrypts sensitive information when it is at rest or being transferred.
Encryption at rest is not a safe encryption method. Cyberattackers have developed multiple methods of circumventing static encryption methods. These include cryptographic attacks, stolen ciphertext attacks, and cryptanalysis.
Advanced Encryption Standard (AES) is a highly secure encryption algorithm developed by the National Institute of Standards and Technology (NIST). The United States Government uses this algorithm to protect its sensitive data.
Most attacks (with the exception of brute force attacks) could be obstructed if an AES is in place.
4. Use non-privileged accounts for routine tasks
The less privileged accounts there are, the less likely a privileged breach will occur. In the spirit of least privileges, only non-privileged accounts should be used to conduct routine administrative tasks.
