10 Boldest Statements From The SolarWinds Senate Hearing
Senators and tech executives discussed how the SolarWinds hackers used AWS’ infrastructure, took advantage of Microsoft’s authentication process, dwelled in FireEye’s systems and remained undetected for months.
Security Takes Center Stage On Capitol Hill
Four executives leading the private sector response to the colossal SolarWinds hack testified Tuesday before the Senate Intelligence Committee and discussed who they thought was responsible for the attacks, what made this campaign different from previous nation-state incursions, and how the U.S. government and private industries can prevent something like this from happening again.
Taking the stand were FireEye CEO Kevin Mandia (pictured far left); SolarWinds CEO Sudhakar Ramakrishna (pictured center); Microsoft President Brad Smith (pictured right); and CrowdStrike CEO George Kurtz. They appeared in front of Intelligence Committee Chairman Sen. Mark Warner, D-Va.; Vice Chairman Sen. Marco Rubio, R-Fla.; as well as committee members including Sen. John Cornyn, R-Texas; and Sen. Richard Burr, R-N.C.
Mandia discussed how long the hackers were in FireEye’s systems, Ramakrishna addressed SolarWinds’ investigation into potential entry vectors, Kurtz described how hackers took advantage of architectural limitations in Microsoft’s authentication process, and Smith defended Microsoft’s use of the SAML authentication standard.
Several senators also slammed Amazon Web Services for refusing to testify at the hearing about the SolarWinds intrusion even though the public cloud giant’s infrastructure was used in the attack. Here’s a look at 10 of the boldest statements from elected officials and tech executives at the SolarWinds senate hearing.
10. The Adversary Isn’t New, But The Scale Of Attack Is
Mandia: This group has been around for a decade or more. Different people go in and out of that group. We’re probably responding to the kids of the people I responded to in the ’90s when this group was active. How they gain a foothold in the victim network—SolarWinds was a way—they will always have other ways. This is a group that hacks for a living.
What they do after they break in really doesn’t change that much. They target specific people, primarily folks, at least in our case, that did work with the government. They target government projects, they target things that are responsive to keywords. These folks have economy of movement. If they broke into your machine, they string-search it, they find responsive documents, and they get out of Dodge. They have an economy that shows they’re professional. And that doesn’t change.
Smith: I can’t think of a similar operation that we have seen that would have similar human scale. … I haven’t seen anything larger. It’s the largest and most sophisticated operation of this sort that we’ve seen.
9. Destructive Attacks Are Easier Than Stealthy Espionage
Mandia: Disruption would have been easier than what they did. They had focused, disciplined data theft. It’s easier to just delete everything and [use] blunt-force trauma and see what happens, which is what other actors have done.
But what I’ve observed this group do—and I think this is an important detail—a lot of times when you break into a network, you get what’s called the ‘domain admin account,’ and you just use that to grab everything. It’s the keys to everything; it’s the master key in the hotel. But what this group actually did, if they wanted to break into Room 404, they got a room key that only worked for Room 404. Then they got the room key for 407.
They actually did more work than what it would have taken to go destructive. But obviously, they had the access required and the capability required—should they have wanted to be disruptive—to have done so.
8. FireEye Told Government Clients About Breach Before Going Public
Mandia: There’s got to be a way for folks who are responding to breaches to share data quickly to protect the nation and protect industries. And that would require defining what is a first responder. And I think it’s pretty simple. If you’re trying to figure out what happened to unauthorized or unlawful access to a network, you’re a first responder. And if you do that for other companies besides yourself, you’re a first responder.
And first responders should have an obligation to share threat intelligence to some government agencies, so that, without worrying about liabilities and disclosures, we’re getting intel into people’s hands to figure out what to do about it. … We need to know, if you’re a first responder, you’re obligated to get threat intel into the bucket so we can protect the nation.
We notified the government customers we had before we went public with the breach. We found out later based on contractual reviews who we had to notify or not, but the reality is, the minute we had a breach, I was talking to ring zero—the intelligence community, law enforcement. You don’t want to get email when you don’t know if your email is secure. So the reality is, I think we told every government customer we had that we had a problem—period—before we even went public.
7. Should Companies Reporting A Breach Have Liability Protection?
Smith: We should notify I think a part of the U.S. government that would be responsible for aggregating threat intelligence and making sure that it is put to good use to protect the country, and for that matter, people outside the country. I think we need to decide upon whom that duty should fall. It should certainly fall on those of us in the tech sector who are in the business of providing enterprise and other services. I think it’s not a bad idea to consider some kind of liability protection. It will make people more comfortable with doing this. This is about moving information fast to the right place so it can be put to good use.
Mandia: To me, notification needs to be confidential, or you don’t give organizations the capability to prepare for those liabilities. … I like the idea of confidential threat intelligence sharing to whatever agency has the means to push that out to places. Then disclosures that are legal requirements to inform those who are impacted. And you don’t know that day one. In FireEye’s case, we were sharing intel really fast, and we did not know what we had lost in our breach yet, but we knew there was something different about it. You can get the intel out there quickly if it’s confidential.
Warner: While I am very open to some level of liability protection, I’m not interested in a liability protection that excuses the kind of sloppy behavior, for example, that took place in Equifax, where they didn’t even do the basic cyber hygiene. If you report that, you should not be free of your responsibility if you have been a sloppy player.
6. Other Vendors Know They Were Hacked, But Are Staying Quiet
Smith: There are more attack vectors, and we may never know exactly what the right number is. This is like finding someone in the building, and now you have to figure out how they got in. And in our case at Microsoft, we identified 60 customers where we figured out that they had obtained—once they got in—typically, the password to somebody, an IT administrator, who could get them into something like Office 365. But, in each instance, they got in on-premise, so it wasn’t in our server or our service. And so we need to work with somebody else to get to the bottom of it.
Warner: There may be other brand-name players that may have been penetrated that have not been as forthcoming and are leaving policymakers and potentially customers in the dark. … There are other brand-name, known IT and software and cloud services [vendors] that may have been vulnerable to this kind of incident as well. And their public and active participation we’re going to get; we’re going to make sure that takes place.
5. SolarWinds Narrows Down Possible Entry Vectors To Three
Ramakrishna: Our investigation into the initial entry point is still active at this point. We have had a number of hypotheses over the last couple of months. Working with our investigation partners, we’ve been able to narrow them down now to about three, which I hope will help us conclude to one. But just the nature of the investigation is we’re still sifting through terabytes of data to figure out if we can pinpoint that particular one. …
TeamCity is a tool used in the build processes by us and many other companies out there. We to date have no evidence that it was the backdoor used to get into SolarWinds. Although we haven’t eliminated that possibility, we haven’t proven it.
4. Who Do Tech Execs Believe Is Behind The SolarWinds Attack?
Smith: At this stage, we’ve seen substantial evidence that points to the Russian foreign intelligence agency, and we have found no evidence that leads us anywhere else. So we’ll wait for the rest of the formal steps to be taken by the government and others, but there’s not a lot of suspense at this moment in terms of what we’re talking about. It’s very, very clear that this agency is very, very sophisticated, and that has been true for a long time.
Mandia: We went through all the forensics. It is not very consistent with cyber espionage from China, North Korea or Iran. And it is most consistent with cyber espionage and behaviors we’ve seen out of Russia.
Kurtz: I know the government has talked about Russia as being one of the threat actors. From our perspective, we have nothing further to add to either confirm or deny that. But what I can tell you is it is absolutely a sophisticated nation-state actor. This took a lot of work, a lot of planning went into this, and we think about how difficult software is to build. … The idea to actually inject something and have it all work without errors, and without anyone actually seeing it, is superb tradecraft.
3. Hackers Had Access To FireEye’s Systems For Months
Mandia: The bottom line is it was a couple months from initial access, but the attacker wasn’t alive every single day. In other words, they were on our system for maybe three hours in one day, a week would go by, a couple hours on another day. We weren’t a full-time job for the intruders that broke into us because they had broken into 60-plus other organizations, if not 100. So we did get their attention, and there were several days of activities before we detected them. But over time, it was several months.
Kurtz: This is indicative of a nation-state actor, and it’s in their interest to maintain persistence. If they were collecting data, they want to continue to collect information over a period of time. If the campaign is over, they certainly would want to remove their tools so they weren’t found by companies like CrowdStrike and FireEye and Microsoft and others. So it’s in their best interest to maintain the persistence because you never know what they’re going to need.
When an adversary gets in, they don’t necessarily know what they’re going to find. They find some interesting tools, they find some emails that may lead them to another company they can compromise. And it’s a massive spiderweb of interrelated entities and information that they have to collect. ... There’s no reason for them to get out unless that campaign is over, and certainly unless they want to remove that malware and their tools, which we’ve seen in this particular case because they didn’t want anyone else to find them.
2. CrowdStrike, Microsoft Spar Over Microsoft’s Culpability
Kurtz: The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network as well as between the network and the cloud by creating false credentials impersonating legitimate users and bypassing multifactor authentication. …
One of the most sophisticated aspects of the campaign was how skillfully the threat actor took advantage of architectural limitations in Microsoft’s Active Directory Federation Services. The Golden SAML attack allowed them to jump from customer on-premise environments and into cloud and cloud applications, effectively bypassing multifactor authentication. This specific attack vector was documented in 2017, and operates at a cloud-scale version of similar identity-based attacks I originally wrote about in 1999. …
Should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms. It is our every hope and, I imagine, the hope of the entire cybersecurity community either that they are able to do so or that we can move to a more community-driven approach to authentication.
Smith: The forged identity refers to an industry standard—SAML. It’s a markup language. It’s an industry standard that is supported by a wide variety of products, including our own. Actually, as we investigated this incident, we found that it was relevant in only 15 percent of the cases. And in those 15 percent, in every instance, this tool was used to add access capability only after the actor was in the network, had obtained access with what we call elevated privileges, and was able to move around and then use this.
This particular standard—the SAML standard—was created in 2007. So long before 2017, we and many other companies in the industry have been working to move people towards a more modern authentication standard. And there has been one that has been around since 2012.
1. AWS Slammed For Refusing To Testify Despite Role In Attack
Warner: I would like for the record to note that we also asked a representative from Amazon Web Services to join us today, but unfortunately they declined. But we will be expecting to get a full update. We’ve had one update from our friends at Amazon, but it would be most helpful if, in the future, they actually attended these hearings. … When a large enterprise like Amazon is invited, they ought to be participating.
Rubio: As the chairman mentioned, we had extended an invitation to Amazon to participate. The operation we’ll be discussing today uses their infrastructure, [and], at least in part, required it to be successful. Apparently they were too busy to discuss that here with us today, and I hope they’ll reconsider that in the future.
Cornyn: I share the concern that has been expressed at Amazon Web Services declining to participate. I think that’s a big mistake; it denies us a more complete picture than we might otherwise have, and I hope they will reconsider and cooperate with the committee going forward.
Burr: In the SolarWinds attack, Amazon Web Services hosted most of the secondary command and control nodes. And all of AWS’ infrastructure was inside the United States .… We constantly see foreign actors exploiting domestic infrastructure for the command and control to hide the nefarious traffic in legitimate traffic. Given the legal restrictions on the intelligence community, we don’t have the ability to surveil the domestic infrastructure. So what should the U.S. government’s role be in identifying these types of attacks?