Conventional wisdom suggests best-of-breed is the only way to secure your clouds. But what of hybrid attack paths that cross security domains — like those exploited in the SolarWinds and Capital One breaches? Exposing the gaps attackers exploit to move laterally requires visibility and context across security silos.
Insidious attacks like those associated with the 2020 SolarWinds breach — which compromised the software supply chain — frequently progressed from on-premises to cloud infrastructures completely unchecked. Others, like the 2019 Capital One breach, exploited a vulnerable web application to ultimately compromise client data stored in cloud infrastructure. These are just two examples of high-profile cloud breaches that traversed traditional security silos, making them challenging to prevent using siloed approaches.
Whether you’re responsible for securing cloud environments, or the entirety of your attack surface, even the best point tools will not give you the level of visibility needed to expose and close the gaps that attackers exploit to move across environments and compromise high-value targets.
Source: Tenable, 2024 Cloud Security Outlook: Navigating Barriers and Setting Priorities
In this blog, we explore the SolarWinds and Capital One breaches, including the techniques used by attackers, and the security conventions that contributed to their success. More importantly, we explore how you can augment your existing security practices and understand the elusive attacker's perspective to help you shut down even the most sophisticated threat actors.
“Combined with the use of sophisticated authentication exploits, [the SolarWinds breach] also leveraged vulnerabilities and major authentication protocols, basically granting the intruder the keys to the kingdom, allowing them to deftly move across both on-premises and cloud-based services, all while avoiding detection.”
— Senator Mark R. Warner (D-Virginia), Chairman, U.S. Senate Select Committee on Intelligence, SolarWinds Hearing, Feb. 23, 2021
The breach of the SolarWinds Orion infrastructure management platform will go down in history as one of the costliest when measured in terms of total financial impact — estimated at nearly $1 billion — and sheer number of organizations affected. The United States government alone invested over $750 million to upgrade security systems in response. Insurers paid out $90 million in claims. And SolarWinds spent $40 million in just the first year, plus an additional $25 million to settle investor lawsuits.
Beyond the financial impact, the attack — which embedded malicious code into SolarWinds Orion software— introduced a layer of suspicion into a previously trusted and almost routine supply chain process used by countless vendors and customers.
Attackers reportedly directed by the Russian intelligence service first breached the SolarWinds development environment and injected the malicious code, known as Sunburst, into the Orion platform before the final build process. The software was then automatically sent to nearly 18,000 organizations, including the U.S. Department of Defense, the Department of Homeland Security, the Treasury Department, numerous government organizations in other countries, as well as leading enterprises including Cisco, Intel, Microsoft, Mandiant and Palo Alto Networks. The Sunburst code provided a back door attackers could use to gain initial entry into target organizations, along with machine privileges.
The breaches of SolarWinds customers that followed frequently exploited the back door in the Orion software to gain an initial foothold on premises before moving laterally to the cloud. Attackers were able to move to the cloud despite varying degrees of existing cloud security tools, network segmentation and multi-factor authentication (MFA) in use at the targeted organizations.
After gaining initial access to the networks of the targeted organizations, attackers used popular tools and techniques to exploit unpatched vulnerabilities and misconfigurations and move laterally to high-value targets. For example, using mimikatz, attackers frequently accessed credentials stored as LSA Secrets to create a rogue domain controller in Microsoft Active Directory, ultimately leading to control over the Active Directory Federation Service.
Source: Tenable, October 2024
Attackers then forge SAML tokens, bypassing MFA and allowing them to move laterally to clouds using SAML for SSO, such as Microsoft Azure and Office 360. Attackers were not only able to give themselves full administrative privileges, but they were authenticated as legitimate users. Once authorized to access the respective cloud, they were effectively unstoppable by traditional cloud security.
40% of organizations using Active Directory have unpatched critical or high severity vulnerabilities that are frequently exploited by attackers.
— Tenable Research, based on data from 9,000 organizations using Active Directory
Unlike the SolarWinds breach, the Capital One breach targeted the company’s Amazon Web Services (AWS) cloud infrastructure and demonstrates the ease with which an attacker can move across security silos frequently seen in cloud infrastructure.
Source: Verizon 2024 Data Breach Investigations Report, Web applications were the number one ways-in vector, used in upwards of 60% of non-error, non-misuse breaches.
The attacker, a former Amazon Web Services (AWS) engineer, initially exploited an externally facing web application to gain machine privileges. They leveraged the machine identity to access credentials and elevate privileges further. And they ultimately exploited a misconfiguration to discover and exfiltrate sensitive data stored in cloud object storage. The result? Sensitive data from more than 100 million Capital One users was compromised.
What is not immediately obvious is that each of these findings is typically identified by separate security tools (and teams) — web application scanning, cloud security posture management (CSPM), and cloud infrastructure entitlements management (CIEM) respectively. Independently, all lacked the technical and business context needed to identify the criticality and entirety of the attack path.
Source: Tenable, 2024
So what lessons can we take from these attacks, and how can we apply them in the context of our existing security program to drive better outcomes?
Source: Verizon 2024 Data Breach Investigations Report
The challenge, of course, is that traditional security tools are not designed with these considerations in mind.
The role of exposure management platforms, such as Tenable One, is to unify visibility, insight and action across the attack surface. Tenable One not only discovers asset, identity and risk relationships across multi-cloud environments, it also discovers on prem IT, operational technology (OT) and internet of things (IoT) assets and identities.
Exposure management is a preventative security strategy that leverages deep context, in the form of business-aligned asset, identity and risk relationships to distinguish ordinary risk findings from true exposure that can have a material impact on an organization. What makes exposure management different is that it looks at the entire attack surface (cloud, IT, OT, IoT, identities, applications), and the full spectrum of preventable risk (vulnerabilities, misconfigurations, human and machine privileges) which enable all breaches, exposing and closing viable attack paths before a breach can begin.
For example, Tenable One’s inventory includes human and machine identities and privileges from Active Directory — provided by Tenable Identity Exposure. This information is integrated with multi-cloud identities and privileges – provided by Tenable Cloud Security. Combined, they enable Tenable One to map technical and business relationships across traditional security boundaries, prioritizing attack paths such as those used in the SolarWinds and Capital One breaches.
The short video below demonstrates how Tenable One can uncover and bridge visibility gaps exploited in the SolarWinds and Capital One breaches t so users can remediate high exposure attack paths before they can be exploited by attackers.
Source: Tenable, October 2024
Tenable One’s capabilities set it apart from other exposure management platforms in two key ways:.
To learn more about exposure management, download the whitepaper “Hackers Don’t Honor Security Silos: 5 Steps To Prioritize True Business Exposure.”
Pierre Coyne is a visionary marketing leader with over 25 years of experience at the forefront of innovation in the high-tech industry. He has played a pivotal role in shaping go-to-market strategies across cutting-edge markets, including continuous threat exposure management(CTEM), cloud security (CNAPP), multi-cloud platforms and container orchestration with Kubernetes. As Director of Product Marketing at Tenable, Pierre drives thought leadership for Tenable One, the world’s only AI-powered exposure management platform, empowering security leaders to enhance visibility, optimize resource efficiency and minimize operational costs. Prior to Tenable, Pierre led IBM's GTM strategy for its multi-billion-dollar cloud platform and contributed to the success of several trailblazing tech companies, including Armis, Micromuse, CA, Platinum and others.
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose your subscription option:
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose your subscription option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose your subscription option:
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.
Contact a sales representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Get the Operational Technology security you need.
Reduce the risk you don’t.
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Exceptional unified cloud security awaits you!
We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.
Exposure management for the modern attack surface.
Know the exposure of every asset on any platform.
Please fill out the form with your contact information and a sales representative will contact you shortly to schedule a demo.
Thank you for your interest in Tenable Enclave Security. A representative will be in touch soon.
Free for 7 days
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro trial.
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
Free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.