Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Yash Prakash
Yash Prakash
Connect Directly
E-Mail vvv

SolarWinds Attack Reinforces Importance of Principle of Least Privilege

Taking stock of least-privilege policies will go a long way toward hardening an organization's overall security posture.

The SolarWinds attack is historic for its multidimensional sophistication. As we continue to learn of new victims, techniques, and implications, it's important that chief information security officers (CISOs) and security professionals take stock of their defense-in-depth strategies. One critical element of the approach is the principle of least privilege (POLP). Based on what we've learned from the SolarWinds attack so far, there are a few valuable lessons to unpack.

Before we do so, here's a quick POLP primer. Implementing least privilege is one of the 33 IT security principles outlined by NIST, which it defines as:

"The concept of limiting access, or 'least privilege,' is simply to provide no more authorizations than necessary to perform required functions. This is perhaps most often applied in the administration of the system. … Best practice suggests it is better to have several administrators with limited access to security resources rather than one person with 'super user' permissions."

Related Content:

Strengthening Zero-Trust Architecture

Special Report: Special Report: Understanding Your Cyber Attackers

New From The Edge: Fighting Fileless Malware, Part 1: What Is It?

In an activity alert published Dec. 17, the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency described how the advanced persistent threat (APT) behind the SolarWinds attack used forged "authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism." In essence, this allows the actor to gain access to administrative accounts and add their own credentials to existing service principals for elevated access to applications and data across the organization.

Based on this knowledge, here are three important lessons about how to think about and follow the principle of least privilege.

1. Work Toward Zero-Trust Maturity
Zero trust is based on the premise that no one has standing privilege, not even administrators. For it to work, users or applications submit access requests that are evaluated based on all the attributes associated with that user or application, including role, position, duties, usage behaviors, and more. To assess risk, the security system either auto-grants access or flags the risk for further review with the full spectrum of identity determining access.

Two pillars of zero trust are time-limited access and just-enough access. When a user or application's identity is evaluated, a decision is made about what access is granted and how long it will persist.

The SolarWinds APT took advantage of standing administrative privileges once it established a foothold on the network to gain administrator access. Reducing the number of users with highly privileged directory roles to zero is a good place to start.

Moving toward a zero-trust model demands a shift in the mindset of an organization's security architect. At its core, identity must be the new security perimeter. All identities — including and beyond human users — must be addressed. There must also be a recognition that zero standing privilege is the path to a real zero-trust model.

Zero standing privilege in and of itself is not zero trust. Instead, it's the application of the principles of zero trust to privileged access management. Zero standing privilege eliminates the abstract concept of an administrative account that has permanent access to privileged data. Access rights get determined on an as-needed basis, so no identity has a default access level. This forces privileged access to be requested, evaluated, granted, or denied — then logged and monitored.

2. Consider Humans and Machines
Limiting access within an infrastructure should take humans and non-humans alike into consideration. The SolarWinds attack shined a light on one specific type of non-human identity: service accounts. Ex-NSA hacker Jake Williams astutely shared the view that, in light of the attack, every organization should look to change its service account passwords. He also said most "don't do this regularly (or ever) because it's hard."

Machine identities also include cloud resources, which is important given that evidence has shown that the threat actors sought access to cloud resources. The Capital One hack suggests why this is so critical. In that case, the hacker was able to exfiltrate the personal information of 100 million consumers because she took advantage of an over-permissioned machine identity role in the form of an EC2 instance. Once the credentials were compromised, so were all the privileges assigned to it.

Similarly, the SolarWinds Orion software is used by many customers for monitoring Azure and AWS environments, which require administrator-level permissions to be used when configuring access to cloud resources. That's why it's so important to implement least-privilege policies for all identities, but especially for machine identities.

3. Apply POLP in Product Design and Development
When thinking about where to apply the principle of least privilege, DevOps should be high on the priority list. The SolarWinds attack started with a compromised software build process that allowed the APT to insert malicious code into an Orion software update. Given the imperative for software development and release speed, many organizations provide access to accounts along the DevOps toolchain that are overprovisioned from a privileges standpoint.

It's critical to provide just enough privileges so that the DevOps process works, but not so much that the entire process can be compromised. This also requires factoring in role-based access into the design and control of operations at a granular level and ensuring that default roles packaged with the software also follow the POLP.

Take Stock of Your POLP
As one of the most sophisticated and far-reaching attacks of the last decade, the SolarWinds campaign requires every security organization to review and refine its defense-in-depth strategy.

The principle of least privilege is one key layer of this strategy, but it will not completely mitigate the risk of such a sophisticated attack. Users that truly need privileged access to infrastructure or software build tools can be targeted directly — for example, through spear-phishing. But given what we've learned about the SolarWinds-related attacks so far, taking stock of least-privilege policies will go a long way toward hardening an organization's posture.

Yash Prakash is the Chief Strategy Officer of Saviynt. Yash works closely with customers, partners, and employees to successfully deliver intelligent identity and security solutions. This includes taking Saviynt's unique solution approach from inception to delivering the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.