On 12 July, 2023 the Washington Post reported that last month it was discovered that China-based adversaries breached unclassified US Government email through Microsoft Cloud. Our latest Hash It Out Session between Virtru experts, Rob McDonald, SVP of Strategy and Field CPO and Peter Nancarrow, Director of Security, SRE & IT, touches on some of the details of this sophisticated exploit, the emphasized need for a data-centric security strategy, as well adopting a security approach that includes a multi-layered defense versus solely “over-trusting” a single provider.
Transcript
Rob McDonald: So welcome to our new Hash It Out Episode. My name is Rob. I am the SVP of strategy and one of our field CPOs at Virtru. And I got Peter here with me today.
Peter Nancarrow: Yeah, I'm Peter Nancarrow. I'm our director of security and cyber-liability engineer in IT here at Virtru.
Rob McDonald: Cool, Peter. I'm looking forward to this conversation. So, I wish sometimes that we were talking about all these positive things we welcome to this industry, right. We get to talk about the sour things and it's really interesting though, right, because Redditists, new publications, new vulnerabilities, this exploited vulnerability with Microsoft. What looks like a targeted, sophisticated attack, right?
Peter Nancarrow: Yeah. Oh, yeah Stuff definitely targeted from, you know, state bats. Yeah, you know, attackers who have a lot of power.
Rob McDonald: Yeah, I think it's funny. Like, they, you know, whenever the official doesn't wanna call out the state, but you know, all these things. I thought it was really interesting because this is, yet again, kind of another forged authentication situation, right?
Peter Nancarrow: Yeah, forge– forge authentication, highly complicated attack. You know, this isn't your everyday phishing attack. I've got your really strong password, Rob. I know you love asking one, two, three, and that's literally the one. It's not something you're just mad at, change the assets or not.
Rob McDonald: Exactly, exactly.
Peter Nancarrow: Yeah, it's much more complicated than that, you know, finding holes in Microsoft isn't always easy, although we see it from time to time. And you know, tricking Microsoft, Microsoft validation of these tokens you know, very complicated to find, exploit, and discover.
Rob McDonald: Right. And I'm gonna get back to that foraging piece, but like what you said there was really interesting because in this particular case, I think I understood correctly. This is new to be fair, like this is evolving. We're gonna learn more. So we're gonna be sensitive to that. So we're working with, but it's still interesting because you formed those tokens effectively, in this particular case, the OWA and Exchange Service, the web services endpoints, basically, were the entry vectors; it looked legitimate. Effectively, you had no idea this was not a legitimate user because of the way in which that forge token was derived.
Peter Nancarrow: That's right. Yeah. So for Microsoft these look like legitimate requests and that's why they're passing them and allowing access to accounts, and it's likely that they had no idea this was going on for the last month, why their customers ended up discovering it through what we presume as other means.
Rob McDonald: And you know, I trust Microsoft. Microsoft does invest a lot into security, no doubt about it. So, a lot of organizations I know that I've been a part of and I talked to, they do trust Microsoft quite a bit. They put a lot into that basket, which to some percentage that's absolutely okay because they are Microsoft. They're not incentivized to do bad security, right. But so, the detection which is really interesting because I looked in some of the articles and some of the agencies that actually found it. You know, it was, you know, right now, it's like somewhere around 23 mailboxes, something like that, that I think that may go rogue, always changes a little bit, but kudos to the agencies, right, because they were actually doing some really interesting behavioral analysis on those logs to see, hey, not only was this abnormal access to mailbox but from an abnormal authenticated client application
Peter Nancarrow: Yeah, really interesting. And I mean you have this huge world of cyber security and there's all these pieces into really secure your organization. One of those is that you use, the provider you trust, Microsoft. They're backed by this huge security organization and we know security is not perfect anywhere at affordability, software made by humans. We make mistakes, but you can't just trust your provider when there's a mistake like this. So there's a good chance, one of these agencies is taking in these logs, analyzing them, and you know, building models on what behavior looks like and that's why they're a program of monitoring them. They might have the strongest people looking at these laws going., well that doesn't look right, what's going on here? Yeah, and that can trigger this notification from Microsoft, that this is bigger than just you, right?
Rob McDonald: Right? Because this was a community source. I mean, again, I didn't get into Microsoft because they said, you know, we learned this from the community, thank goodness. They had treated that appropriately. Good on them for that. Not common though, for organizations, to have a sophisticated behavioral analysis capability, to do that correlation on those logs is that fair? In your opinion?
Peter Nancarrow: Yeah, for sure. At least these agencies who are being targeted are, hopefully, appropriately staffed. We know there's staffing issues at the security lead in the government but also in the industry. So, having tools in technology to support that is absolutely critical.
Rob McDonald: So I mean, I think you nailed it right there. Look, I think about where to invest and you want to invest in preventative things, but let's be honest, the truth is, it's a very complicated landscape, especially in these cloud native environments where the number of applications that you're using is significant. So I can't stress enough. Like, I think about, you know, my past. I think about, you know, I definitely did not always and was not always able to invest in the skills and the tools necessary to bring that telemetry together. This just proves that investment resulted in early detection, as early as possible.
Peter Nancarrow: And that the earliness is really important there because yeah, let's say they discover this through logs, some anomaly popped up and that's what triggered that, finding that anomaly is not as simple as just while we get along from Microsoft.
Rob McDonald: Exactly. Exactly. And if you think about the way that's forced turquoise taking place, there are ancillary services that could have been implicated, right? They chose the target, a particular set of services where those tokens work, but in this world, we live today in that cloud environment where the ecosystem is multi-app about lateral movement. Potential is huge.
Peter Nancarrow: With Microsoft being as large as they are, a lot of people are relying on them.
Rob McDonald: Absolutely exclusively.
Peter Nancarrow: And as a user, you love that because you have one log in. The implication's down the line right here.
Rob McDonald: It makes me think about rethinking the strategy of my security stack, both preventative and remediative, and that and over index trust we put in single providers, right? It's kind of hard to think about a single provider like a conglomerate of a bunch of different things, but they're under one umbrella, right, from that perspective. It makes me think of that strategy not being potentially the best strategy.
Peter Nancarrow: Yeah, I mean, it's great to work with a vendor you trust? Microsoft has a huge– Microsoft, Google all of these huge companies; these huge companies have a ton of tools like that can make your life easier. And once you have them and trust them and you want to be in one ecosystem, that's great. But having that single point of failure can hurt.
Rob McDonald: I think we live in a different world now though, where you said consolidating there is great because it makes your life easier, but I think we live in a different world today. Security has different priority tools. In our ecosystem they are easier to use. You can have a different view of that strategy while still getting access to ease of use, in my opinion.
Peter Nancarrow: No, I mean, I think you're right. The term defense and depth, right. I look at it with security, right. I think that's still an important idea in the security space, but because of this ease and speed to just adopt a provider, use everything they have, some organizations have probably gone away from that. So it's an illusion to death. It's not an actual death and Microsoft or any other provider is gonna have a ton of documentation describing their defense but that doesn't all translate to your defense.
Rob McDonald: Right, you know, the common denominator in this particular scenario, that Geotech, while they did just seem to target or worse, successful, or we don't know how far they went about. I think where they were successful. It was email, right? But that's data right. The data is the thing that's there. That's what's valuable so that's the common denominator. So, in this case, I'm thinking about that strategy, separating how you're governing that data from the container, in which the data is to me an important topic.
Peter Nancarrow: Yeah, for sure. Yeah. Email is such a critical part of every business operation, government function, and we know that that is alway highly sensitive, highly informative, useful to potentially spy organizations, kind of seems to indicate that these attackers were fine. They were looking ,really, for just collecting data actually quietly for a period of a month.
Rob McDonald: No, that makes a lot of sense. I mean, I think though that in that particular case, the data is what was valuable obviously, right? In this particular situation, those forged tokens resulted in no more levers; you had no more levers, the data was gone. So I thinking about data centric security, applying that to the payload itself so that you pop the container. Ok great. You still have to come to some other policy authorization playing that gains access to the payload. So I'm glad you have that side for today because it's of no use to you.
Peter Nancarrow: Yeah, I can't just sit there and watch it in box, right, and get any information
Rob McDonald: And that is gonna move between other applications. OneDrive, Email, Slack. The data's what's common there by having that separate governance plane. To me, we're asking that gives you an additional lever.
Peter Nancarrow: For sure, and especially when it's sensitive data, if they want to watch your lunch plans, might not be ideal, maybe you're a public figure working for one of these agencies. Maybe you decide not to apply the right remote control there but when you're coordinates of a highly sensitive mission, we want to keep that between us. And being able to selectively apply this controls
Rob McDonald: And you and I were talking about this earlier, I was being sensitive to the fact that you in your role, for us, and thank goddess you orchestrate this, you're organizing and aggregating all of these sources of telemetry, right, but those all tell different perspectives about what's happening to the thing that you care about the most, which is the data. So another thing too, I think about in this particular case because remember that telemetry was how they found out this attack was happening there, so if you apply that data century policy, that deficiency security, you have a view from the data itself. So as it moves into other environments, you're getting back that telemetry. So if I pull that payload out of the container and I go to try to access it, I now have telemetry I didn't have before, which was after it was pulled out, right? That seems to me to be where I stand today. I'm thinking about the future of, kind of, posture management and remediate dip capabilities and risk reduction.
Rob McDonald: We know that data is important. Technologies evolved; we can have a different view at the data level to give us that and where we just talked about earlier ease of use as metis because technologies are capable of now. So at this point, it was impossible before, but it is today, where I stand.
Peter Nancarrow: No no, I think you're right. And you have that extra layer of control, but going through the telemetry you have added telemetry on the data itself as well. And even in a scenario like this, I'm sure they have a good sense of what data was compromised but being able to go look email by email. Having that assurance that I know this really helps them identify that scope and that incident response process because there's a lot to stress going on. And being able to take, who knows, hundreds of thousands millions of emails, and we know that these chunks are safe makes everyone's worse day, slightly better.
Rob McDonald: I think it's great to know that that package was stolen from the backseat of your car but would it be a lot better to be able to say they couldn't open it and get inside of it? That's the thing. One lets you know that something bad is happening. The other one is actually managing your anxiety to it.
Peter Nancarrow: You might not be happy about it but it's not gonna end your life.
Rob McDonald: I think a final point for me is we owe consumers. We owe our customers. We owe them more, right. So that additional lever is saying to them, that data is what we know; it then matters to you and we want to make sure that we're doing everything again to govern it effectively. So I appreciate the conversation, like this was really interesting. I look forward to learning more
Peter Nancarrow: Yeah, for them to pull back some of the letters
Rob McDonald: Excited the community responded, excited about what's going on and I appreciate the chat today.
Peter Nancarrow: Yeah, good to see you, cool.
Fill the form below to claim your gift.
Get expert insights on how to address your data protection challenges
Contact us to learn more about our partnership opportunities.