Join Robert MacDonald and Sheetal Elangovan for an IBA Friday session! In this episode, they discuss the latest cyber breaches and what can be done to mitigate them.

Video Transcript
Robert MacDonald:
More news this week, Sheetal. We're not going to talk about anything One... well, we are going to talk about things 1Kosmos related. But there is a breach, there is a hack this week. I think you're going to ask... we're going to talk about how that happened or what's going on and how you can prevent it going forward, right?

Sheetal:
Exactly. So why don't we start with what happened at Microsoft and Midnight Blizzard. So Rob-

Robert MacDonald:
Yeah.

Sheetal:
... you're the one who wrote this fantastic blog post.

Robert MacDonald:
I did. I did.

Sheetal:
Covering the entire incident.

Robert MacDonald:
Yeah.

Sheetal:
Tell us a little bit about Midnight Blizzard.

Robert MacDonald:
Yeah, so Midnight Blizzard is part of, I guess it's a Nation State attack so they're part of Russia and that's kind of where that came from. And the Midnight Blizzard, they're a state-sponsored actor. They're also known as Nobellum or Nobelium, something like that.

Sheetal:
Nobelium.

Robert MacDonald:
And they decided that, you know what? Microsoft. Let's go after Micro... And I don't know if that's what the decision was. And I also want to say right up front that we're not picking on Microsoft here either. Breaches, hacks happen, right? There was another one that I read about today where there was a Chinese-sponsored attack that was foiled on our critical infrastructure. I'll have a blog about that probably sometime next week. Maybe we can talk about that one next time, Sheetal, but yeah, these guys are, they're out looking for information. They're out looking to cause disruptions and they did. They found a way in to Microsoft's stack and were able to scrape out some emails from some other top level executives. And I think we should probably talk about how they went about doing that.

Sheetal:
Yep. So it looks like the attack actually began sometime in November, but was actually discovered and announced to the public simply in chance. So this has been a low and slow attack from Midnight Blizzard as we see it.

Robert MacDonald:
Yeah, yeah. I mean a lot of these hacks too, or these attacks are just that they, they're not smash and grabs. There's not people walking in with baseball bats and smashing glass cases to steal diamond earrings and necklaces. They do these things really slow, so as not to raise awareness with the security operations teams. They're trying to make sure that they stay nice and low under the radar to get what they need and if they got to take time to do it, that's what they do. And that's basically what happened here as well, right?

Sheetal:
Yep. So their initial access was through what we call a password spraying attack.

Robert MacDonald:
Mm.

Sheetal:
For someone who's unfamiliar with a password spraying attack, it's a type of attack where a malicious actor can sort of use the same password or popular passwords on multiple accounts to gain access. So typically inside your AD domain, they are trying to find your account lockout policy and account threshold. So once they know how many attempts it takes to get your account locked, they are typically using popular or compromised passwords, multiple attempts, but just below, keeping it below the threshold, which sort of makes it hard to detect, right? So they're just evading the system and going about it slowly and trying to find a single compromised account. And this was typically how their initial access happened just through a password spraying attack.

Robert MacDonald:
Yeah, yeah. And it worked, right?

Robert MacDonald:
Yeah, and part of that, I know you're going to get in a little bit deeper, but where they were able to get in also didn't have any sort of additional authentication to try to verify that the use. So once they figured out the password, well, there is no, hey, what's your multifactor-

Robert MacDonald:
... authentication, right? Give me the code or give me whatever, give me your fingerprint, whatever it is. That wasn't in production in this instance.

Sheetal:
No, it was that. It wasn't really a production system. It was a non-production tenant.

Robert MacDonald:
Yeah.

Sheetal:
That gained access to, that had no multifactor authentication enabled on it. So that was the trick, right? Something fell off the cracks. They got to that tenant, they were able to gain access through this systemic plan, the password spray attack. The other thing that I thought was extremely interesting that they did was the use of what they call residential proxy infrastructure. So to break that down, it just basically means that these multiple sign-in attempts were coming in from IP addresses that are actually good IP addresses coming in from residential networks. So that made it even harder for things to be detected, so coupled with password spray and making sure that it's coming in from a residential infrastructure, I think any kind of detection mechanism must have been typically hard, right?

Robert MacDonald:
Yeah. Yeah, I mean, it'd be like me trying to log in from home or if I went to my parents' place and worked from there 'cause I was traveling, it'd be similar IP addresses so nothing really to raise any alarms.

Sheetal:
Yep. And if you're an administrator, you're just thinking that, okay, my user is probably making multiple incorrect password attempts.

Robert MacDonald:
Yeah.

Sheetal:
That's probably what you're thinking.

Robert MacDonald:
Yes.

Sheetal:
Yeah, so once they did that, I think they also were also able to find an application that had privileged access. They used that to create multiple other applications, ended up getting privileged access into Microsoft Exchange Online, and they were into the emails of executives, so that's typically how the entire attack sort of happened. And they were into Microsoft Systems.

Robert MacDonald:
I mean, I guess they could have went into anybody's inbox, but I mean, why would they go into our inboxes, Sheetal, we're nobody. Right? Let's go into the top level executives and see what's going on. I mean, at the end of the day, that's what they're looking for. They're looking for valuable information that they can figure out what they want to do with once they gather it, right? Unfortunately, you and I emailing back and forth about what our favorite wine is, is not of interest, but if you get into the C-level suite at Microsoft, I'm sure there's some interesting information on there.

Sheetal:
Yeah. So I think there's also this new SEC rule that requires you to declare any kind of security breach that happens within four days. So Microsoft have to come in within four days of detecting this. So detecting their breach, they had to put out blog posts explaining the attack and what happened. They have this great blog that sort of explains the entire trajectory of how this incident sort of built up. So that being said, Rob, now what is your opinion on, what can 1Kosmos do for companies that are in a situation or prevent this kind of situation?

Robert MacDonald:
Yeah, well, I mean, listen, we've talked about this basically ad nauseum on all of these IBA Fridays, and it goes back to the identity itself. So the more you know about that identity, maybe the IP address it normally comes from, maybe the device signature that we might know about. If you know those things and the login doesn't meet some of those things that we know, well, that should probably raise a flag, right? Why don't you tell us a little bit about, because that gets into that residential IP thing that you were talking about, right?

Sheetal:
Yes.

Robert MacDonald:
Based on what you guys are developing, tell me a little bit about how that would work with us.

Sheetal:
So I think you packed in a lot on that statement. So we're going to break it down a little bit.

Robert MacDonald:
That's right.

Sheetal:
So we talked about identity, we talked about the IP, we talked about device, everything in one thing, but let's break that down. So with the residential IP address, I'm not sure it's really easy to track requests coming in from a residential IP address, but if you're able to track user behavior, meaning that multiple sign-in attempts are coming in from distributed IP addresses, some impossible travel kind of situation, you are able to protect or at least have some alerts about what user activity is doing. So that's one way that I could think of that you know, a company like 1Kosmos could step in and partner with you on your strategy for access to your employees.

The other one is definitely the device that you're accessing from. You can have agents that 1Kosmos provides that sort of tells you which is the device that the user is attempting access from. And that's another format and I think we see that across the industry, being able to tell which device the request is coming from. But the real beauty is when you have identity, as you said, behind the scenes. Really knowing that there is biometrics or a real person who's sitting behind the scenes attempting access, especially privileged access, right? It's surprising how much havoc can be caused by just accessing a non-prod tenant.

Robert MacDonald:
Right.

Sheetal:
Just no MFA on it.

Robert MacDonald:
Yep.

Sheetal:
And having privileged access through an application. So I feel like a mix of all these things, and of course risk-based authentication, being able to adapt is really a good way to mitigate against attacks and breaches like this.

Robert MacDonald:
Yeah, and I think you touched on a good thing, a big point there. We do passwordless authentication. So if you do passwordless, well then at the end of the day, there's nothing to spray.

Sheetal:
Mm-hmm. There's nothing.

Robert MacDonald:
So you could technically just stop it there. Now listen, I get it. That maybe you don't want to stand it up on maybe an old product account or something like that, whatever. But an attack such as this shows that you really can't let your guard down and just assume that, well, this thing that we've got sitting over in the corner shouldn't have access to anything, shouldn't, and yet here we are. So it's really important if you do have technologies such as 1Kosmos and what we provide, use it everywhere. That way the experience is the same. Managing it from an IT perspective is the same, and you're able to catch a lot of these problems before they happen. But I cut you off. Sorry, go ahead.

Sheetal:
So as I was saying, I mean we just have to talk a little bit about ourselves and boast about our own adaptive engine, where at runtime we are able to detect where the user is, where is the sign-in attempt coming from? What is the device that the user is using it from? And what has his past behavior been like? And that particular moment of requesting sign in access determines the next few steps of what is going to happen. You are presented authentication mechanisms based on your context. So that's a game changer and I think having strong policies like that really help in mitigating these things. So of course, I think in one of these IBA Fridays, we should give our audience a tour of what our adaptive author engine looks like.

Robert MacDonald:
That's probably a good idea. Yeah, and again, just speaking what we were just saying, if you do have one of those servers sitting in the corner that maybe you don't want or don't need to do the level of authentication that you do on a regular desktop, or when you're doing a privileged activity in production, you still at least want to send them through a journey where if it does look weird and the behaviors aren't quite right or it doesn't match some of the signals that we want it to match, then you could at least throw them through a journey to make sure that it is the person that we think it is, even if they're using a non-production type of environment, like what we had here right?

Sheetal:
Yep.

Robert MacDonald:
Awesome. Well, I think we covered it.

Sheetal:
Mm-hmm. We covered it.

Robert MacDonald:
We covered it. And again, if you want to read a little bit more on the blog, it is available on our website. If you go to onecosmos.com, we do, under our Insights section at the very top of the nav, there's blog, you can click View All. I'm pretty sure it's the first one 'cause it's the most recent one that we've written. There's a handsome fella little picture, that's when you know that it's the one that I wrote. And you can learn a little bit more about it. There's a link to the Microsoft blog that Sheetal was mentioning as well. You can read all of the details that the Microsoft investigative team, their threat intelligence team put together on the blurb.

And I mean, one thing we didn't mention, Sheetal, is that because they found that vulnerability, the Blizzard team were able to go to some of Microsoft's customers and replicate it. So we didn't even get into that. So when those vulnerabilities are found, they're going to go try it in other places. And this is a very similar type of things that we see from these types of bad actors. If they find a hole, they're going to go see where else they can find that same hole. So anyway, I guess it's why we're employed, I guess, to keep these security things cooking.

But I appreciate you taking the time and walking us through your insights on it and maybe some of the ways that we can help customers moving forward prevent attacks like this. And again, you know, you don't want to put all your eggs in one basket either, right Sheetal? I mean, if you're reliant on one organization to do all your stuff, you're kind of beholden to wherever their vulnerability is, where, if you layer in stuff like 1Kosmos, you can close those gaps pretty quickly, right?

Sheetal:
Yep, yep.

Robert MacDonald:
Yep.

Sheetal:
Absolutely.

Robert MacDonald:
All right, well until next time.

Sheetal:
Mm-hmm. Till next time.

Robert MacDonald:
Have a good weekend.

Sheetal:
You too. Bye-bye.

Robert MacDonald:
All right, thanks everybody. We'll see you again.