SolarWinds and Key Administrative Groups
The SolarWinds attack has reminded us that it often comes down to who has access to our PAM (Privilege Management Accounts). That’s why I just put out a webinar that amongst other items – highlighted YouAttest Event Triggers – Key To Monitoring and Auditing Key Administrative Groups.
Microsoft detailed how the attack made SSO vulnerable via privilege accounts could utilize new SAML signing certificates to communicate to malicious C2s. The key being the attack used elevated privileges and obtain PAM account status to execute these commands.
Thus, both Microsoft and Okta (and others) stressed to the SSO community that PAM accounts need to be secured to address the SolarWInd attack.
Microsoft: (John Lambert, Microsoft Threat Intelligence Center):
- Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, JIT/JEA, and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles, like Global Administrator, Application Administrator, and Cloud Application Administrator.
Okta (Marc Rogers, Executive Director, Cybersecurity Strategy):
Consider reviewing all administrator accounts responsible for managing federated SSO to check for unauthorized configuration changes or users.
In essence – what these companies are employing enterprise to do, is to practice NIST Pr.AC-6 PoPL (the “Principle of Least Privilege):
Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions.
E.G., we should be managing, auditing and constantly monitoring these key groups. But how?
That’s Where YouAttest Comes In: Monitoring and Auditing Key Administrative Groups
YouAttest hosted an informative webinar, with key security and infrastructure experts, the week of the SolarWInds revelation. The webinar detailed how the attack was deployed, what it was and how affected SSO/SAML. One of the key takeaways from the webinar was that it became obvious to all – that an enterprise MUST protect its privilege accounts (PAM) and especially the AD domain accounts.
This is where YouAttest comes in.
YouAttest led the IGA (Identity Governance) world by creating the fastest to time-to-value cloud-based attestation solution by introducing YouAttest IGA in early 2020. Key feedback in the community led to YouAttest 2.0, which including event triggers on AD and Okta groups.
YouAttest Event Triggers allows an enterprise to:
- Select Key Groups
- (e.g. Administrative Groups, Service Groups, etc) to monitor
- Select Key Personnel To Review
- (Business Users, System Users)
- Auto-Generate YouAttest Attestation Campaigns
YouAttest enables and enterprise to set triggers on key AD and Okta groups (like AD Administrators in this configuration.)
YouAttest Triggers on Multiple Events (Security, User and Groups)
YouAttest triggers on a myriad of events that enable these attestations, these include:
1) Application Lifecycle Events
2) Device Trust Events
3) Security Events
4) User Import Event
5) Policy Events
6) Group Events
7) User App Events
8) User Auth Events
9) User Life Events
Though YouAttest can trigger on multiple events, for security policy reasons it usually comes back to the group events – users being added or deleted out of the primary administrative groups.
These groups can include Okta Groups, Default AD groups (like Administrators, Cert Publishers, Domain Admins, Enterprise Admin, Enterprise Key Admins an others) and custom PAM AD groups.
All security best practices specify that these groups should be monitored – and changes should be improved.
YouAttest Creates Automated Campaign to Approve/Revoke the Changes
Step 1: YouAttest enable you to select the admin/service group you wish to follow

Step #2: An event trigger is created in the YouAttest library of Triggers

Step #3: An event occurs that “trips” one of YouAttest set triggers
In this case, a user is moved into the “domain group” category.


Step 4: An Attestation campaign is created based on the trigger
The user(s) that were specified to attest to the change are alerted by email and in their account to conduct an attestation campaign.

Step 5: The reviewer/manager logs in and Certifies/Revokes or Del

Step 6: An Attestation report is created from the campaign
In this case the attestation was complete and approved – the record shows that Mark Millar approved Sher Azam’s joining of the Domain Group. Image #6: The report is a record of the approval of Sher Aazm into the Domain Group.

This report is then saved in the YouAttest system and is an important document to be shared with the auditors at the end of audit period.
Summary: YouAttest a valuable part of your IT Security arsenal of detective weapons
Though no one, let alone YouAttest is downplaying the thought and effort that went into the creation and deployment of the hack – there is a strong consensus that proper security measures and practices can at least warn us earlier of these types of attacks if not block their efforts. This was the theme and information provided in the YouAttest webinar with industry experts. It important to note that this hack did NOT change nor compromise the integrity or crypto algorithms that underline SAML and the other SSO mechanisms. The hack attacked the weak link our deployment and management of these protocols.
Thus, YouAttest agrees with other industry experts that site that best practices can help detect and mitigate these types of vulnerabilities. One of the key measures to put in place is PAM account monitoring. This is exactly what YouAttest puts in place with the Even Triggering system that is detailed above and in the webinar.
In this regard, YouAttest can not only be a big part of reducing your IT Audit expenses but also be a valuable part of your IT Security arsenal of detective weapons.
—
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. YouAttest demonstrated how YouAttest can help identify PAM attacks in its Special Webinar on securing SSO and SAML.