The way the adversary behind the SolarWinds hack used legitimate credentials to execute a widespread compromise of public and private-sector entities should spur the creation of new guidance on protecting identities, especially as organizations move to the cloud, a Cybersecurity and Infrastructure Security Agency official said.
“With regards to identity, I think that the guidance should be updated to go with the cloud,” CISA Technical Strategist Jay Gazlay told the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board Wednesday.
Gazlay provided a forensic brief of the hacking campaign, which leveraged a trojanized update from network management company SolarWinds and techniques like password spraying to gain unauthorized access to at least nine federal agencies and more than 100 private companies. He described actions NIST and the broader government should take in the wake of the breaches, focusing on protection and detection.
“Our takeaway from this at CISA's space is that identity is everything now,” he said, noting that the level of success the adversary achieved with tactics like password spraying was not normal. “We can talk about our network defenses, we can talk about the importance of firewalls and network segmentation, but really identity has become the boundary, and we need to start readdressing our infrastructures in that manner.”
Gazlay said the adversary has adapted to measures the government took after the breach of the Office of Personnel Management to defend high-value assets and that increased use of the cloud makes targeting identities much more effective.
“Instead of going after these data holdings, they're going after the identities that give them access to all the data elements, much broader campaigns,” he said. “As we move into a cloud infrastructure where all that matters is the expectation that you are who you say ..