In light of the recent news of Microsoft’s ‘secret’ internal database breach, Dmitri Alperovitch, CTO & Co-founder at CrowdStrike commented below how this is a serious threat with multi-dimensional consequences for anyone using Microsoft products.
Dmitri Alperovitch, CTO & Co-founder at CrowdStrike:
“The compromise of Microsoft’s database highlights that everyone is vulnerable to sophisticated intrusions. From the adversary perspective, having access to critical and unfixed vulnerabilities is the “holy grail.” We may be seeing the ripple effects of this hack for some time and many businesses may end up suffering stealthy compromises. The key question to answer is how long they may have had access and what entry points were established during that time. For example, are there signs of credential theft or other activities that would indicate an escalating compromise.”
Josh Mayfield, Director at FireMon:
What could a malicious actor gain from accessing these databases?
At first blush, it may not seem that there is much to worry about with attackers scooping up the details of Microsoft’s vulnerabilities. After all, Microsoft searched and did not find the vulnerabilities being exploited. However, though MSFT found no evidence, it would be erroneous to confuse ‘absence of evidence’ with ‘evidence of absence’. There may not be any clear evidence that Microsoft’s vulnerabilities are being used in cyberattacks, but the breach indicates that bad actors are aiming for a head start.
If I can gain access to the entire repository of vulnerabilities, I have invaluable knowledge to use for exploits. Unlike many companies, attackers have a healthy appreciation of human psychology – they can put themselves in the shoes of Microsoft and its billions of users. Having this awareness gives an attacker the wherewithal to discover the highest probabilities of success.
Secondly, having access to the MSFT database gives the cybercriminal a taxonomy and classification with details of how these vulnerabilities are grouped. Knowing this, additional vulnerabilities are more adjacent without Microsoft’s knowledge. It is like knowing the tendencies of a competitor; this detail about their predisposition gives you a reasonable idea of what will hurt the most.
Lastly, the bug fix database also contained a schedule. This allows an attacker to observe Microsoft’s priorities and the details of how they will patch the issue. Think about it…if I know what you know and I know how you plan to fix it, I have an extraordinary number of attributes to better equip me to beat you in the real-world. Each of these characteristics serve as decision support for the cybercriminal.
Is it responsible of Microsoft not to tell their customers or the public that they’ve been hacked in this way?
In short, yes. When an automobile or toy manufacturer discovers something that could harm their customers, they have an ethical responsibility to inform those in danger. Microsoft has learned its lesson and will better inform the market when breaches like this happen.
Currently, the US House of Representatives are debating new legislation on the precise requirements for reporting data breaches. There is much left to be seen, but these steps could give companies valuable face-saving opportunities when, not if, they experience a data breach.
How could Microsoft have prevented this breach?
Primarily, organisations as large and complex as Microsoft must automate their security policy controls. Assets continue to move and computing functions are dynamic. Without an automated and portable policy, organisations will continue to leave their most valuable assets open to breach.
Policies should automatically adapt and migrate with any asset as it moves. This form of embedded policy allows for instantaneous security without the time-consuming duty of policy design and implementation.
Secondly, organisations like Microsoft have the opportunity to hunt for such threats – locating the digital residue in the wake of malicious actors. This, too, can be an automated function; using analysis to uncover the commonly used activities to reveal data staging and exfiltration.
Lee Munson, Security Researcher at Comparitech.com:
“Shock. Horror. Microsoft may have suffered a breach in 2013 and not told anyone about it.
With data breaches now appearing to be an almost daily occurrence, it would not surprise me if the tech giant had become a victim at some point… but context is everything.
If the reports are true, Microsoft not only detected the breach – something many victims remain blissfully unaware of for many years – but also investigated the potential consequences and mitigated all risks, leading to no known live attacks ever occurring.
It could be argued that an alleged breach of its vulnerability database is news worth sharing, though I suspect in this case that keeping a lid on it was probably a better option than telling the hacking community it could be a potential open season for them in terms of potential new attack vectors.
That said, the world has moved on in the last four years, especially in light of the NSA-developed EternalBlue exploit being leaked and so, if such an event were to happen now, an altogether different approach to incident response and disclosure may be more appropriate.”