According to Microsoft, the techniques used by hackers of Solarwinds, were sophisticated but common and preventable.To avoid future attacks similar levels of complexity, Microsoft advises organizations to adopt the "zero trust».
In essence this means that organizations must consider that every part of their systems is at all times in risk and explicitly verify the security of user accounts, end devices, network and other resources.
Thousands of companies were affected by infringement of SolarWinds, which was unveiled in mid-December. The team hacking known as UNC2452 / Dark Halo, targeted the build environment for the software Orion of SolarWinds.
According to Weinert, the attackers took advantage of gaps in the "explicit verification" of each of the main actors.
"Where user accounts were compromised, known techniques such as password spray, e-fishing (Phishing) or malware for violating user credentials by giving the attacker access to the client network", Writes Weinert.
It claims that cloud-based authentication systems like Azure Active Directory (Azure AD) is more secure than indoor ID systems because the latter does not have cloud-supported protection.
In cases where hackers succeeded, Weinert notes that privileged vendor accounts did not have additional protections such as Multifactor Authentication (MFA), IP bandwidth restrictions, device compliance, or access criteria. Microsoft found that 99,9% of the breached accounts it monitors each month do not use MFAs.
This attack technique could also be prevented if there were stricter permissions on user accounts and Appliances.
"The first principle of the Zero Trust is to explicitly verify that you have extended verification to all access requests, even those from suppliers and especially those from in-house installations."
Weinert admits that invasion at SolarWinds was a "really important and advanced attack", but the techniques they used could be mitigated with these best practices.