Youattest Logo

SSO and SAML – Safe When Done Right, Even After SolarWinds Revelation

Nothing is more important to enterprise IT efficiency today than SSO and secure application integrations.   That is why after the Microsoft announcement on possible enterprise vulnerabilities – that YouAttest felt compelled to spend time reiterating that SSO and SAML Safe When Done Right.

SSO and SAML Safe When Done Right – How ?

The Microsoft blog titled: “Important steps for customers to protect themselves from recent nation-state cyberattacks by John Lambert from the Microsoft Threat Intelligence Center, issued “guidance about increased activities from a sophisticated threat actor that is focused on high value targets such as government agencies and cybersecurity companies.”

The article focused on the instructions based on the insertion  through malicious code in the SolarWinds Orion product.  This hack amongst others was responsible for the FireEye announced breach

The attack enabled the intruder to obtain elevated credentials.   The elevated credentials in turn were used to communicate with malicious C2s (command and control).

The attack amongst other activities utilized the elevated privileges to:

  • Gain access to an organization’s trusted SAML token- signing certificate.
  • Enable them to forge SAML tokens that impersonate any of the organization’s existing users and accounts
SSO and SAML Safe When Done Right
Image #1: The SolarWinds attack utilized the Orion agent to communicate to the malicious Command and Control center. SSO and SAML Safe When Done Right

The most important bit of information from the Microsoft Threat Intelligence Center was that this attack could then enable the attacker to attack from any system to any cloud provider:

  • “Anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate.”

Ok – that’s pretty serious.  As stated SAML and the alike SSO technologies are the cornerstone to modern enterprises.   To be frank conducting a modern enterprise – is impossible without these technologies.

All is not lost.  There are mechanisms that the enterprise has in their power to address these attacks.   

In the words of Shahriah Chowdhury:

“Stop calling #solarwinds attack ultra sophisticated. It’s like calling #covid19 prevention required sophistication. All solarwinds needed to do is secure its pipelines. All their client needed to do is turn off auto-update or perform network forensics of connections to unknown IP addresses from the server. This would have been caught in April. It’s a shame we think this is the worst we can see in #cybersecurity.”

Microsoft was more elaborate on the how to keep your environment safe –  (SSO and SAML Safe When Done Right ) Below are the points for consideration:

  1. Run latest antivirus or EDR products that detect the compromised Solarwinds libraries.
    •            Note: consider disabling SolarWinds until you feel confident in environment.

      2.  Block known C2 (command and control) endpoints:

    •            Avsvmcloud[.]com 

      3.  FOLLOW BEST PRACTICES of you identity federation provider – in securing your SAML token key signing – including considering hardware security for these keys

      4.  Ensure user and admin right follow best practices, (and this i thought was key):

  • “Reduce the number of users that are members of highly privileged Directory Roles, like Global Administrator, Application Administrator, and Cloud Application Administrator.
  • An auto-attest tool like YouAttest can help by triggering on changes to these groups – YouAttest Webinar

      5.   Monitor service accounts including insuring secrets such as certificates are stored safely.  Monitor sign in with these credentials.

      6.   Reduce service area by removing/disabling unused and unnecessary applications.

Important to mention, SolarWinds does have a hotfix for this vulnerability:

  • SolarWinds has released Orion Platform version 2020.2.1 HF 1 to allow admins to secure systems running compromised versions (from 2019.4 HF 5 to 2020.2.1, released between March 2020 and June 2020).

Lastly look the the community for ideas and best practices.  YouAttest will be hosting a webinar with key SSO specialists on this topic: Mark Lambiase and Kelly Gilmore.   The webinar will be reviewing these and other points and utilizing team members well acclaimed in the field and help me build the first commercially available 2-factor IDP which was shipped and deployed at 100’s of site.

If you find this topic interesting and knowledgeable or if you would like more information about “SSO and SAML Safe When Done Right”, please write back to us and we will be happy to provide more details.    

Garret Grajek is Certified Information Security Specialist and CEO of YouAttest. YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta.   Register for YouAttest – Special Webinar on securing SSO and SAML