{"id":92582,"date":"2021-01-19T14:30:50","date_gmt":"2021-01-19T22:30:50","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=92582"},"modified":"2023-05-15T23:11:54","modified_gmt":"2023-05-16T06:11:54","slug":"using-zero-trust-principles-to-protect-against-sophisticated-attacks-like-solorigate","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/01\/19\/using-zero-trust-principles-to-protect-against-sophisticated-attacks-like-solorigate\/","title":{"rendered":"Using Zero Trust principles to protect against sophisticated attacks like Solorigate"},"content":{"rendered":"
The Solorigate supply chain attack<\/a> has captured the focus of the world over the last month. This attack was simultaneously sophisticated and ordinary. The actor demonstrated sophistication in the breadth of tactics used to penetrate, expand across, and persist in affected infrastructure, but many of the tactics, techniques, and procedures (TTPs) were individually ordinary.<\/p>\n Companies operating with a Zero Trust mentality across their entire environment are more resilient, consistent, and responsive to new attacks\u2014Solorigate is no different. As threats increase in sophistication, Zero Trust matters more than ever, but gaps in the application of the principles\u2014such as unprotected devices, weak passwords, and gaps in multi-factor authentication (MFA) coverage can be exploited by actors.<\/p>\n Zero Trust in practical terms<\/a> is a transition from implicit trust\u2014assuming that everything inside a corporate network is safe\u2014to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. It relies on contextual real-time policy enforcement to achieve least privileged access and minimize risks. Automation and Machine Learning are used to enable rapid detection, prevention, and remediation of attacks using behavior analytics and large datasets.<\/p>\n To verify explicitly<\/em> means we should examine all pertinent aspects of access requests instead of assuming trust based on a weak assurance like network location. Examine the identity, endpoint, network, and resource then apply threat intelligence and analytics to assess the context of each access request.<\/p>\n When we look at how attackers compromised identity environments with Solorigate<\/a>, there were three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software. In each of these cases, we can clearly see where the attacker exploited gaps in explicit verification<\/strong>.<\/p>\n Cloud identity, like Azure Active Directory (Azure AD), is simpler and safer than federating with on-premises identity. Not only is it easier to maintain (fewer moving parts for attackers to exploit), your Zero Trust policy should be informed by cloud intelligence. Our ability to reason over more than eight trillion signals a day across the Microsoft estate coupled with advanced analytics<\/a> allows for the detection of anomalies that are very subtle and only detectable in very large data sets. User history, organization history, threat intelligence, and real-time observations are an essential mechanism in a modern defense strategy. Enhance this signal with endpoint health and compliance<\/a>, device compliance policies<\/a>, app protection policies<\/a>, session monitoring, and control<\/a>, and resource sensitivity<\/a> to get to a Zero Trust verification posture.<\/p>\n For customers that use federation services today, we continue to develop tools to simplify migration to Azure AD. Start by discovering the apps that you have and analyzing migration work<\/a> using Azure AD Connect health and activity reports.<\/p>\n Least privileged access helps ensure that permissions are only granted to meet specific business goals from the appropriate environment and on appropriate devices. This minimizes the attacker\u2019s opportunities for lateral movement by granting access in the appropriate security context and after applying the correct controls\u2014including strong authentication, session limitations, or human approvals and processes. The goal is to compartmentalize attacks by limiting how much any compromised resource (user, device, or network) can access others in the environment.<\/p>\n With Solorigate, the attackers took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no<\/em> permissions at all. Conversely, customers with good least-privileged access policies such as using Privileged Access Workstations<\/a> (PAW)\u00a0devices were able to protect key resources even in the face of initial network access by the attackers.<\/p>\n Our final principle is to Assume Breach, building our processes and systems assuming that a breach has already happened or soon will. This means using redundant security mechanisms, collecting system telemetry, using it to detect anomalies, and wherever possible, connecting that insight to automation to allow you to prevent, respond and remediate in near-real-time.<\/p>\n Sophisticated analysis of anomalies in customer environments was key to detecting this complex attack. Customers that used rich cloud analytics and automation capabilities, such as those provided in Microsoft 365 Defender, were able to rapidly assess attacker behavior and begin their eviction and remediation procedures.<\/p>\n Importantly, organizations such as Microsoft who do not model \u201csecurity through obscurity\u201d but instead model as though the attacker is already observing them are able to have more confidence that mitigations are already in place because threat models assume attacker intrusions.<\/p>\n It bears repeating that Solorigate is a truly significant and advanced attack. However ultimately, the attacker techniques observed in this incident can be significantly reduced in risk or mitigated by the application of known security best practices. For organizations\u2014including Microsoft\u2014thorough application of a Zero Trust security model provided meaningful protection against even this advanced attacker.<\/p>\n To apply the lessons from the Solorigate attack and the principles of Zero Trust that can help protect and defend, get started with these recommendations:<\/p>\n Stay safe out there.<\/p>\n \u2014 Alex Weinert<\/a><\/p>\n For more information about Microsoft Zero Trust please visit our website<\/a>. Bookmark the Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":" The Solorigate supply chain attack has captured the focus of the world over the last month. This attack was simultaneously sophisticated and ordinary. The actor demonstrated sophistication in the breadth of tactics used to penetrate, expand across, and persist in affected infrastructure, but many of the tactics, techniques, and procedures (TTPs) were individually ordinary. Companies […]<\/p>\n","protected":false},"author":98,"featured_media":92586,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3659],"topic":[3688,3689],"products":[],"threat-intelligence":[],"tags":[3822,3813],"coauthors":[1845],"yoast_head":"\n<\/p>\n
Applying Zero Trust<\/h2>\n
<\/p>\n
Verify explicitly<\/h2>\n
\n
Least privileged access<\/span><\/h2>\n
<\/p>\n
Assume breach<\/h2>\n
Summary and recommendations<\/h2>\n
\n