Hardening Systems Against Attacks Like SolarWinds
How Key Management, PKI Controls, and Zero Trust Principles are Applied to Thwart Advanced Persistent Threats (APTs)
For years, cybersecurity professionals argued the importance of “zero trust networks” and their concerns have been fully validated in the wake of the SolarWinds incident. Hacking techniques likely used in the SolarWinds Sunburst attack include mapping of sIDHistory, Primary Group ID, as well as AdminSDHolder to help identify and obtain cached Active Directory credentials. The compromised SAML keys and cryptographic materials were then likely used to execute administrative control and exfiltrate data over an extended duration.
Controls governing device credentials and rotation have often been overlooked or waived off as a low priority security measure. Unfortunately, it appears that the hackers responsible for the SolarWinds attack took advantage of these afterthoughts to maneuver through the network. In the aftermath of the attack, companies are realizing how the control of key material and certificates in a zero trust architecture is vital to mitigate risks associated with Advanced Persistent Threats. This is especially true if control of the keys and certificates is orchestrated within the operations of the system.
Fornetix® VaultCore™ is a highly efficient and scalable cryptographic key management appliance with the unique capability to automate and enforce security policy across an entire organization while acting as a Policy Decision Point for key\certificate lifecycle and cryptographic operations. VaultCore works to harden systems and support zero trust architecture by helping to move security from a traditional perimeter defense position to a more granular approach. Scalable to over 100 million keys in a FIPS 140-2 certified platform, VaultCore utilizes powerful automation of policy through hybrid access controls and positional security to better protect data-at-rest, data-in-motion, and data-in-use for every industry.
Consider the following controls for VMware and Windows Systems Security Technical Implementation Guidance:
With the SolarWinds attack in mind, Fornetix has developed VaultCore as a purpose-built Key Management System (KMS) to address the complex challenges related to certificate management, vTPM, Windows credentials, and DISA STIG policy upkeep. In the above architecture, VaultCore is employed throughout the VMware/Windows infrastructure to support end-to-end control and orchestration of key material and certificates — ultimately creating a safer environment for your data.
VaultCore can support each component in the architecture based on the operational needs of a customer’s unique environment.
- vSAN: VaultCore provides control and rotation of keys used for vSAN encryption
- vSphere: VaultCore provides control and rotation of encryption keys used by vSphere for virtual machine (VM) encryption
- vTPM: VaultCore provides control and rotation of keys used for TPM encryption in VMware environments
- Windows Server: VaultCore uses Windows Orchestrator agents to enable key and certificate rotation across PKI Services and SAML token creation employed by Windows and Microsoft applications
Policy is used to determine how to trust incoming transactions from the requesting service, the nature of the transaction, and what cryptographic objects are required. VaultCore allows for secure specificity for each of the previously mentioned system components in a VMware-Windows environment. This allows users to employ automation and controls to all components and act as part of an APT mitigation strategy.
A centralized and responsive control center ensures VaultCore is simple to use. With a large and ever-expanding library of integration plugins, VaultCore delivers automated, policy-driven key management that can swiftly begin working alongside a multitude of existing or new platforms while conforming to DISA STIGs.
Regarding APT risks, mitigation, and contingency planning, VaultCore’s auditing and automation supports an organization’s ability to monitor and quickly respond to threats. Consider the following VaultCore capabilities as part of Security Operations and Response (SOAR):
- Use VaultCore cryptographic logs to populate SIEM engines to detect anomalies
- Develop VaultCore defensive scenarios (compositions) that SIEM engines can use for threat response
- Enforce fine-grained control over resources through attribute-based distribution of key and certificate material
VaultCore’s capabilities are rooted in zero trust architecture and are an indispensable ally to other technologies and infrastructures. This pioneering key management solution works to help harden systems against attacks like SolarWinds and solves the numerous challenges that surround safeguarding an organization’s data. For more information on VaultCore, click here.
Appreciation and recognition to John Coons, Solutions Engineer, Fornetix, for his research contribution to this post.