The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recently announced that bad actors have been exploiting vulnerabilities in certain versions of SolarWinds Orion products. The threat actors compromised versions of the SolarWinds Orion platform and inserted vulnerable code, which, if activated, could conduct a sophisticated supply chain attack, leveraging backdoors and command and control domains.

The recent SolarWinds breach has captured a huge amount of attention. The audacity and technical skill of the SolarWinds supply chain attack—and the difficulty in identifying what’s been compromised and remediating affected systems—set it apart. Regardless of the innovation, aggression and malice of this breach, the fundamental tactics that attackers use to move through the cybersecurity kill chain are consistent, and any measure that can break the cycle or deter bad actors from moving to the next stage provides powerful protection.

Security of our customers and their data is the highest priority at Quest. In light of NSA cybersecurity advisory and CISA guidance around elevated activities of cyber actors and APT of critical infrastructure, Quest proactively engaged an independent, third-party security firm to thoroughly investigate its infrastructure. Our findings have determined that there was one instance of a vulnerable version of the SolarWinds Orion product used in our internal environment. Our forensic analysis has shown no signs of exploitation of the vulnerability and the instance has since been updated and remediated. In addition, the ongoing investigation has found no evidence of impact to any customer environment, customer data, Quest offerings, or services. 

Best practices

While this particular breach is front-of-mind, the fundamental weaknesses it attempts to exploit are common and the recommended measures to mitigate risk remain unchanged. Quest and One Identity are focused on helping our customers gain the upper hand in their fight against these types of attacks – particularly when those attacks are targeting identity and Active Directory accounts.

Collectively, we would like to take the opportunity to reemphasize the identity security best practices that can improve any organization’s security posture and reduce risk. The vast majority of breaches involve the abuse or misuse of elevated privileges or, as in the recent SolarWinds breach, exploited elevated Active Directory privileges. Comprehensive privileged access management (PAM), account and directory management, and identity governance and administration (IGA) practices can go a long way towards mitigating risk and minimizing exposure.

Specifically, Quest and One Identity believes that following NIST security guidelines for a two-pronged strategy can help achieve those objectives:

  1. Zero Trust – as NIST recommends “…the access control strategy should be dynamically adjusted based on trust evaluation of context request. It is a ‘built-in-security’ mechanism to deal with threats under the new IT Environment.” Comprehensive PAM – including password management, session audit and privileged behavior analytics – is a very efficacious path to Zero Trust.
  2. Least Privilege – Zero Trust is often most successful when coupled with a least-privilege access model where individuals (in particular those individuals who require elevated permissions) are only granted the precise entitlements necessary to do their day-to-day job – nothing more, nothing less.

For more information visit https://www.oneidentity.com/solutions/zerotrust/

In addition, vigilant Active Directory management and security can remove important attack vectors in the cybersecurity kill-chain by making it difficult or impossible to move laterally and escalate privileges. If an AD security breach occurs, every second counts and you need to have an automated disaster recovery plan to maintain business continuity.  

Specifically, several Quest tools provide a full lifecycle of security solutions that enable you to protect the entirety of your complex on-prem or hybrid AD environment. This includes:

  • Automated governance and access control
  • Proactive vulnerability assessment & remediation
  • Real-time auditing, threat detection & alerting
  • Fast forensic investigation & disaster recovery

Security starts with identity. That has not and will not change as companies deploy and benefit from cloud computing, mobile computing and even work from home. See why the Quest identity-centered approach to security and cyber resilience gives organizations the foundation necessary to detect and withstand any incident, attempt, outage or disaster.

 

References

  1. https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF
  2. https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Anonymous
Related Content