Since December, the United States, its government, and other critical institutions including security firms have been addressing the world’s latest serious nation-state cyberattack, sometimes referred to as ‘Solorigate’ or ‘SUNBURST.’ As we shared earlier this is a moment of reckoning for our industry and needs a unified response of defenders across public and private sectors.
The recent SolarWinds attack is a moment of reckoning. Today, as we close our own internal investigation of the incident, we continue to see an urgent opportunity for defenders everywhere to unify and protect the world in a more concerted way. We also see an opportunity for every company to adopt a Zero Trust plan to help defend against future attacks.
The Microsoft Security Research Center (MSRC), which has shared learnings and guidance throughout the Solorigate incident, confirmed today that following the completion of our internal investigation we’ve seen no evidence that Microsoft systems were used to attack others. There was also no evidence of access to our production services or customer data.
However, a concerning aspect of this attack is that security companies were a clear target. Microsoft, given the expansive use of our productivity tools and leadership in security, of course was an early target.
But while this highly-sophisticated nation state actor was able to breach the gate, they were met by a unified team of human and digital defenders. There are several reasons why we were able to limit the scope and impact of this incident for our company, customers, and partners, but ultimately, they all boil down to a few fundamental ways we approach security.
We believe these approaches represent an opportunity for all IT and security teams as we collectively navigate a rapidly evolving and sophisticated threat landscape.
Adopt a Zero Trust mindset
A key action is implementing a Zero Trust architecture. In this approach, companies must assume all activity—even by trusted users—could be an attempt to breach systems, and everything a company does should be designed around that assumption.
To guard against these pervasive threats, it’s recommended that organizations deploy zero-trust architecture and defense-in-depth protections, installing defenses like a layer cake across code, coding tools, email, cloud apps, endpoints, identities, the developer community, defender products—everything.
Zero Trust is a proactive mindset. When every employee at a company assumes attackers are going to land at some point, they model threats and implement mitigations to ensure that any potential exploit can’t expand. The value of defense-in-depth is that security is built into key areas an actor might try to break, beginning at the code level and extending to all systems in an end-to-end way.
Customer Guidance: As companies think about deploying a zero-trust posture and making a transition from implicit trust to explicit verification, the first step to consider is protecting identities, especially privileged user accounts. Gaps in protecting identities (or user credentials), like weak passwords or lack of multifactor authentication, are opportunities for an actor to find their way into a system, elevate their status, and move laterally across the environments targeting email, source code, critical databases and more. We witnessed this in Solorigate when abandoned app accounts with no multi-factor authentication were used to access cloud administrative settings with high privilege. To explore protecting privileged identity and access, companies should review our post on Securing privileged access overview | Microsoft Docs.
Embrace the cloud
We were also reminded of the importance of cloud technology over on-premises software. Cloud technologies like Microsoft 365, Azure, and the additional premium layers of services available as part of these solutions, improve a defender’s ability to protect their own environment.
Baseline layers of protection are not enough for today’s sophisticated threats. Defense strategies must match up to these increasingly sophisticated attacks while factoring in the complexities of securing a remote workforce. If you are not thinking about advanced layers of protection that can detect, alert, prevent and respond to attacks across identities, email, cloud apps, and endpoints, you may be locking a door while leaving the window open. From Microsoft, consider technologies like Azure Active Directory and Microsoft 365 Defender.
One of the most important pieces of guidance for any security posture that we can share right now is to layer up, no matter who your security vendors are.
In addition, with the Microsoft cloud, customers benefit from industry-leading threat intelligence, powerful AI, machine learning, and defense-in-depth capabilities that most companies simply could not develop on their own. Our platform and services assess over eight trillion security signals every day, enabling Microsoft to take more of the work off a defender’s plate. Our technology can surface and correlate security alerts that could represent a larger issue or remediate issues on demand with our own threat experts. As an example, in 2020 over 30 billion email threats were blocked by Microsoft cloud technology.
Customer Guidance: One of the things our customers should consider is managing identity and access from the cloud. When you rely on on-premises services, like authentication server, it is up to a customer to protect their identity infrastructure. With a cloud identity, like Azure Active Directory, we protect the identity infrastructure from the cloud. Our cloud-scale machine learning systems reason over trillions of signals in real time. So, we can detect and remediate attacks that nobody else can see.
Strengthen the community of defenders
Finally, we know that we all have an important role to play in strengthening and empowering the defender community at large. It was great to see this sharing in action in December when FireEye first alerted the community of a “global intrusion campaign.”
At Microsoft, communicating and collaborating with our customers and partners is a top priority. Over the past several weeks, security teams across Microsoft (Microsoft Threat Intelligence Center/MSTIC, Microsoft Detection and Response Team/DART, Microsoft Cyber Defense Operations Center/CDOC and Microsoft Security Response Center/MSRC) met daily and directly collaborated with customers and partners to share information and respond. We shared the latest threat intelligence, indicators of compromise (IOC), published more than 15 blogs with technical guidance and best practices, and notified customers of potentially related activity. We also offered security trials across our end-to-end product portfolio to give organizations the tools needed to combat this threat.
This sharing is invaluable to the entire community.
Customer Guidance: We encourage every company, of every size, to work with the community to share information, strengthen defenses and respond to attacks. Join our Microsoft Security and Compliance Tech Community to start or participate in a variety of community discussions.
Security is a journey of progress over perfection, and with these three approaches working in unison, we can all help to make the world more safe and secure.