Storm-0558 & Microsoft’s Alex Weinert
This October, the Practical 365 podcast was privileged to have an enlightening conversation with Alex Weinert, Microsoft’s esteemed Vice President for Identity Security. Despite his demanding schedule, Alex generously shared his invaluable insights and firsthand experiences related to the Storm-0558 incident, as well as broader aspects of identity security and the evolving threat landscape.
In this blog post, we will delve into how Microsoft’s security teams combat global cyber threats and the company’s response to this critical event. Stay tuned for an insider’s perspective on the world of cybersecurity.
How Microsoft’s Identity Security Team Fights Global Cyber Threats
Alex Weinert, the man at the helm of Microsoft’s Identity Security, gave us a glimpse into the inner workings of his team and their relentless efforts to shield customers and the world from cyber threats. Weinert’s role is twofold: he not only spearheads the development and delivery of customer security products like conditional access, multi-factor authentication, risk detection, password protection, and the Authenticator app, but also ensures that Microsoft’s identity infrastructure is built and operated with paramount security.
His team is constantly on the lookout for vulnerabilities, responding to incidents, mitigating attacks, and preventing future ones. They work tirelessly behind the scenes, blocking thousands of identity attacks per second without causing any disruption to customers. They combat fraud in the identity ecosystem and collaborate with other teams across Microsoft and the industry on global security issues.
Weinert shared an instance where his team collaborated with the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Detection and Response Team (DART) to thwart a sophisticated attack that involved compromising a customer’s environment to launch further attacks.
As identity professionals, they comprehend the gravity of their work in a world where digital fronts are increasingly becoming the norm. Weinert emphasized that identity is often the preferred attack surface for adversaries as it allows them to bypass encryption and protection mechanisms by impersonating someone else. He cited examples of how governments use cyber-attacks for espionage or direct attacks, such as disabling power or communication in a city.
The stakes are high for identity professionals, and Weinert’s team rises to this challenge by continually enhancing Microsoft products and infrastructure security. The camaraderie within these teams, where most members are personal friends who often discuss work together, significantly contributes to their success.
How Microsoft’s Identity Security Team Responded to the Storm-0558 Incident
“Undoubtedly, this was one of the most challenging days in my career,” Alex Weinert candidly shared his experience of the Storm-0558 incident, describing it as one of the most daunting days for any identity security professional. Despite his extensive tenure at Microsoft, he had hoped such an incident would never occur under his watch. Yet, it did.
The compromised key, he explained, was created long ago in systems that no longer exist today. The current systems have been significantly fortified since then. While the incident was a harsh lesson, Weinert emphasized that there were also positive aspects to consider.
His team was well-prepared when they detected the storm-0558 incident. Thanks to their thorough planning and simulations, they were able to mitigate the situation in less than 24 hours. This swift response was remarkable compared to other incidents like SolarWinds, where attackers had infiltrated the environment for 18 months and mitigation had to be carried out customer by customer. In this case, 25 organizations were impacted, but Weinert’s team was able to fully mitigate the situation on behalf of the customers.
Weinert acknowledged that the potential impact radius of the incident was vast. However, their quick detection and mitigation significantly limited its scope. He clarified that this was not a case of infrastructure compromise—arguably the worst-case scenario—but rather an operational error that led to key material leakage outside of its secure environment.
What Lessons Should Customers Draw From the Way That Microsoft Responded
“I think there is a challenge in the framing of the question, right,” Alex stressed. He pointed out that the average Microsoft customer is not typically defending against the intelligence apparatus of an entire country, which is a vastly different game played in a much different way. Statistically, it’s unlikely that an average organization would be the target of a nation-state attack.
Most Microsoft customers deal with more commonplace incidents. For instance, the risk reduction is 99.4% if they use multi-factor authentication (MFA). With metrics indicating 4,000 attacks per second due to password spray and password replay techniques, the importance of MFA is clear. However, recent studies show that MFA adoption is still unacceptably low, at about 35% across the user base.
Alex outlined three basic security hygiene measures that every organization should implement, along with an additional action for highly security-focused organizations:
Basic hygiene should never be overshadowed:
- Strong authentication with phishing resistance: Implementing strong authentication methods that are resistant to phishing attacks is crucial. This can be achieved through methods like multi-factor authentication (MFA), which adds an extra layer of security by requiring multiple forms of verification.
- Strong device attestation: Ensuring that devices used to access sensitive information are secure and trusted is another important step. Device attestation involves verifying the integrity and security status of a device before it’s allowed to access network resources.
- Anomaly detection and intervention: Regular monitoring for unusual activity or deviations from normal patterns can help detect potential security threats early. If an anomaly is detected, immediate intervention is necessary to prevent potential breaches.
The highest standards for security-focused organizations:
- Fully isolate your critical systems from the rest of your environment: For organizations with a high focus on security, it’s recommended to completely isolate critical systems from the rest of the network environment. This can be achieved by adhering to Zero Trust principles, which include isolated and temporary access and permissions. Key practices under these principles are Zero Standing Access (ZSA), Just-In-Time (JIT), and Just-Enough-Access (JEA). Implementing these methods can significantly enhance the protection of sensitive data and systems against potential threats.
The insights shared by Alex Weinert, underscore the importance of robust security measures in today’s digital landscape. The Storm-0558 incident serves as a stark reminder of the potential threats that organizations face and the critical role that security professionals play in safeguarding sensitive information.
The key takeaway is that basic security hygiene should never be overshadowed as it protects against 99% of known vulnerabilities, according to the 2023 Microsoft Digital Defense Report. Implementing strong authentication methods, ensuring device attestation and regular monitoring for unusual activity are fundamental steps that every organization should take. For those with a high focus on security, isolating critical systems from the rest of the network environment is recommended, which is echoed in this podcast episode with Sean Metcalf, founder, and CTO of Trimarc Security. Sean described something very similar, essentially, he often recommends building an AD Forest for legacy protocols and applications and then isolating the critical assets into either a pristine Forest or the existing Forest. If you want to hear more from Sean, be sure to subscribe to the Practical365.com podcast on your favorite device.
Strengthen Your Link
The world of cybersecurity is complex and ever-evolving, but with vigilance, preparedness, and the right security measures in place, organizations can navigate this landscape more confidently. As we continue to move towards an increasingly digital future, let’s remember that our collective security is only as strong as our weakest link. Let’s strive to make that link as strong as possible.