The SolarWinds attack is historic for its multidimensional sophistication. As we continue to learn of new victims, techniques, and implications, it's important that chief information security officers (CISOs) and security professionals take stock of their defense-in-depth strategies. One critical element of the approach is the principle of least privilege (POLP). Based on what we've learned from the SolarWinds attack so far, there are a few valuable lessons to unpack.
Before we do so, here's a quick POLP primer. Implementing least privilege is one of the 33 IT security principles outlined by NIST, which it defines as:
"The concept of limiting access, or 'least privilege,' is simply to provide no more authorizations than necessary to perform required functions. This is perhaps most often applied in the administration of the system. … Best practice suggests it is better to have several administrators with limited access to security resources rather than one person with 'super user' permissions."
In an activity alert published Dec. 17, the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency described how the advanced persistent threat (APT) behind the SolarWinds attack used forged "authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism." In essence, this allows the actor to gain access to administrative accounts and add their own credentials to existing service principals for elevated access to applications and data across the organization.
Based on this knowledge, here are th ..
Support the originator by clicking the read the rest link below.
