Midnight Blizzard Cleanup - One Week Later
1–29–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, January 29, 2024, and we’re going to jump right in to the news about what we’ve learned from Microsoft - and others - in the past week.
Midnight Blizzard Cleanup
First of all, some credit where credit is due to the Microsoft folks for following up with more details last week on their breach by Russia’s foreign intelligence service, the SVR. I’m going to keep reminding you of that, because “Midnight Blizzard” means nothing to anybody, but we can all understand what having the Russian Foreign Intelligence Service in Microsoft exec’s emails might mean.
In a blog post on January 25th, Microsoft disclosed some additional details about the breach. They did, again, to their credit, provide both additional details and some mitigation steps.
Unfortunately, however, some of those details are still not as clear as the security community might like, and some of their mitigation steps equate to “buy more services from us.”
In a pretty scathing response, former Facebook CISO Alex Stamos, whose consulting firm Krebs-Stamos was acquired by Microsoft competitor SentinelOne last year, ultimate had this to say:
“Twenty one years after the Trustworthy Computing memo, it’s once again time for some soul searching in Redmond.”
Stamos notes that:
“I understand the need to charge for log storage or human services, but we should no longer accept the idea that Microsoft’s basic enterprise offerings (including those paid for by the US taxpayer) should lack the basic features necessary to protect against likely attacks.”
“For all the language about the sophistication of the SVR hackers behind this attack, there is nothing here that is outside the norm for ransomware groups attacking Microsoft technologies, and Microsoft customers of all sizes should be concerned that these technique will be deployed against them if they do not pay extra for the secure version of Microsoft’s cloud products.”
We learned last week, as well, that HP Enterprise (the company formerly known as Hewlett-Packard) was successfully breached by this same group of threat actors, and the Washington Post is now reporting that up to 10 other organizations have been similarly breached and will be disclosing soon, noting “more than 10 companies, and perhaps far more, are expected to come forward.”
Reporting in ComputerWorld suggests that these events might be enough to finally garner some Congressional attention (though, given this Congress’ track record, it seems unlikely that anything would actually come of this).
At the same time, security experts are loudly sharing the configuration settings that need to be updated to prevent the lateral movement and privilege escalation that the SVR used to breach Microsoft, described by one researcher as a major blunder.
While the instructions for making these changes can be both a bit confusing and highly technical, I’ve included them here and want to talk about the security principles behind them.
You’ve likely heard of the ideas at play here - whether it’s “Secure by Design” or “Secure by Default,” the underlying constructs have to do with ideas of least privilege. That is, what is the minimum amount of permissions or privileges does your program / account / identity / etc. need to perform your defined business operations.
This is something that applies to all sorts of technology contexts, but in this case, cloud hygiene is what got Microsoft in trouble. In a world of highly complex systems, it is admittedly difficult - if not impossible - to account for all of these moving parts.
Instead, I often recommend starting from a first principles approach of “deny all, allow as needed” - whether we’re talking about web filters for sites people can browse to, applications that can run on workstations, or firewall rules. There’s actually a very knowable universe of sites and tools that you use to run your business. While it may seem like shutting the rest out is stifling creativity or innovation, it’s also tremendously reducing risk.
While it can add friction to users and administrators, it gives the business a chance to understand what, exactly, legitimate users are trying to achieve - and how - as well as a chance to deter, detect, and disrupt malicious or illegitimate behavior (amongst both insider threats and external attackers).
At the risk of throwing the baby out with the bathwater, consider this “default deny” mentality as you make changes and introduce new constructs into your enterprise, and see how you might be able to systematically backfill the approach into your existing systems and workflows. Technology and the threat landscape is moving much faster than your business - this is one way to give yourself a fighting chance.
Fundraising
From a fundraising perspective, briefly, we had even more money pour into commitments last week, with just shy of $20B reported.
At the same time, we have some IPO rumblings, but also reports of more dividend recapitalization deals taking place amongst private investors, which Axios describes as “another sign of investor optimism.”
Stay tuned for whether that optimism is warranted or not - lots of macro news ahead this week, including interest rates from the Fed, jobs data, and earnings from Alphabet, Amazon, Apple, Boeing, General Motors, Meta, Microsoft and Starbucks.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.linkedin.com/pulse/microsofts-dangerous-addiction-security-revenue-alex-stamos-1ukzc/
https://www.washingtonpost.com/technology/2024/01/26/russia-hacks-sec-disclosures/
https://www.computerworld.com/article/3712380/russia-hacks-microsoft-its-worse-than-you-think.html
https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d
https://threadreaderapp.com/thread/1750774236707217811.html
https://www.axios.com/2024/01/29/private-equity-dividend-recap