Another day, another supply chain attack, maybe one of the worst in years. Yes, we’re talking about the recent SolarWinds attack. This attack, which has been the downfall of many companies, has gone through rigorous investigation, research, and analysis by vendors like Microsoft and FireEye.
In a nutshell, the attack itself utilized a vulnerability and backdoor into the SolarWinds Orion Platform. Once the hackers got in, they deployed their code into one of the DLL files or the Orion platform. From there, they were able to connect to the attackers’ command and control servers in order to get the attack commands.
The last step of the attack was executed once the backdoor access was achieved; at that stage, the attackers started working on gaining privilege escalation, and from there went on to steal credentials and laterally traverse the network scanning for the victims’ crown jewels.
The lateral movement attack was done via PowerShell remote task creation, as shown by FireEye. Now as PowerShell is widely used within organization networks, its clear to see that the hackers could move around the organization easily without anyone noticing.
One of the reasons that the use of PowerShell to access servers is simple and easy, is that all an attacker needs in order to execute the PowerShell command are basic credentials, stolen from other accounts. No second factor challenge is invoked in such cases, making it very easy to hack into internal systems.
Adding MFA to ALL Internal Systems
Well, how would you have blocked such an attack? The 1st thought that comes to mind is patching SolarWinds, right? Since that was the origin of the attack?
But…you are not the developer of SolarWinds, are you? You are a customer, so patching won’t work…
Ok, so what can we do? We can deploy complex solutions which will scan all the traffic in the network and look for traffic going to the C2 server or from the C2 server to the compromised machine. Not a simple task at all.
And even if you do run and patch all your 3rd party software, or deploy a network scanning solution, what guarantees that the next Zero Day attack will not harm you? We have to accept that as long as developers develop software, vulnerabilities will continue to be the necessary evil that we’ll have to live with. But living with them doesn’t mean that we can’t mitigate the risk of these vulnerabilities being exploited by hackers. We might want to consider a different approach – controlling and securing the internal processes and continuously challenging the attackers.
We are told often to assume the attacker is already in our network, so why don’t we try and prevent them from moving laterally throughout our network? The idea being, that they will get in but won’t be able to do harm.
What if we could “auto magically” add MFA to every system, server, and application in the network, so that when the attacker tries to access a server from the infected machine, their PowerShell command (if we take the aforementioned attack as an example), would have invoked an MFA request that until approved would have prevented the command from executing?
Safe-T’s ZoneZero® MFA Solution
I am happy to say that what I described above is no longer a dream. Safe-T ZoneZero MFA is the 1st ever zero-trust network access (ZTNA) solution designed to add centralized MFA to any corporate resource (system, server, data, application, etc.).
Improved and continuous user authentication is one of the main components in zero-trust network access. Identification providers and multi-factor authentication providers have improved the authentication process, but the leading ‘client-based’ approach creates integration and maintenance challenges. Moreover, many non-web applications are not naturally compatible with MFA.
Safe-T’s ZoneZero MFA centralized approach allows customers to easily integrate multi-factor authentication (SMS, push messaging, Biometric, Telegram, WhatsApp, REST API) and identity awareness into all access scenarios – remote and internal users, VPNs, web and non-web applications.
This product is part of the ZoneZero Perimeter Access Orchestration platform that provides central management of all secure access technologies and helps organizations achieve zero-trust network access (ZTNA).
With Safe-T ZoneZero® MFA – You can block hackers from moving around your network!
By deploying ZoneZero MFA in the network, it is now possible to ensure that any request from any user/application to any application invokes an MFA action, for example, a text message sent to the IT administrator or relevant application developer. Until the MFA is responded to, it prevents the execution of the command.
Such a capability would have prevented the lateral movement attack vector completely, because at the 1st attempt to execute a PowerShell command, the company’s IT would have been notified and the alarms would have started blaring.
The Solution – ‘Safe-T ZoneZero® MFA’
Centralized approach – No client-side integration
Seamless integration – Rapid deployment
Add MFA capabilities to legacy applications, proprietary services, RDP, file shares, SSH, SFTP, VMWare, etc.
Upgrade 2FA to true MFA
Optimize cost of deployment and ownership
Built-in MFA or integration with 3rd party MFA/IdPs – SMS, push messaging, Biometric, Telegram, WhatsApp, REST API
Support continuous authentication
Application access control policies for internal users
User > App and App > App use cases
Eliminate identity takeover fraud while delivering a seamless user experience