O365 Security: You Get What You Pay For…. US Treasury & Commerce Hacks Expose Microsoft

It was made aware to the public via media reporting that a group of sophisticated attackers had gained unauthorized access to internal US Treasury and Commerce Department systems. Now, we don’t have the full technical details of how these compromises were accomplished, but we do know from both press reporting and personal sources familiar with the incident response, that the scale of the breach was amplified due to the relatively immature security capabilities offered in Microsoft O365 services such as Exchange Online and Teams.

For the last 10 years, enterprise information security teams have been downplaying (and flat out ignoring)  the dangers of using consumer-grade security and encryption tools to protect sensitive information from sophisticated attackers. This weekend we saw just how awful it can get when US civilian government agencies, responsible for critical policy-making decisions, rely on security and encryption features invented over 20 years ago.

We don’t fully understand the scale and scope of the attack, but if it went beyond just listening and potentially interrupting the flow of information between key decision makers (by delaying or mis-routing emails and other communications), the attackers could not only have profited from their access to information but dramatically disrupted Treasury operations (think nation state actors who would like to see chaos in US economic response).

We should also assume that the TTPs associated with this attack are not only being used against Treasury and Commerce. It is very likely that similar attacks are underway against other targets, be they high-value individuals within private companies involved in the equities and debt markets that Treasury officials are working with or organizations which operate those markets (such as NYSE, NASDAQ, or Bond Market platform operators around the world).

Scope of Impact

In several calls with information security teams that we’ve had in the last 48 hours, this attack has put all Microsoft Office 365 customers on notice that there are huge risks associated with moving their communications and collaboration activities to a centralized platform, operated by Microsoft, and without real security controls in place.  One financial services organization with over 40,000 O365 users indicated that this Treasury incident is causing them to fundamentally re-think their use of SaaS platforms for critical business processes and move away from the use of email as a business process communications channel.

Even Microsoft’s GovCloud Can’t Prevent Compromise

Treasury was supposedly using Microsoft’s ‘security enhanced’ version of O365 hosted within their GovCloud.  But, as indicated from their own website, there are significant risks associated with using the O365 platform within government organizations that are still not addressed.  Those include spear-phishing protections, security compliance and analytics functions and other security features which were promised to Government customers that won’t be delivered for some time.

Security Was Never Part of the Core

O365 has always been a project where features and offerings were built ‘in-flight’, and security has been part of that process.  Compared to the days where products were built using traditional software development processes, O365 is a service that is delivered in an iterative fashion.  Traditional threat modeling, attack surface reduction and service hardening principles have been difficult to implement for O365 customers, due to the scale of the applications involved and delivered to customers by default.

Complexity Breeds Insecurity

Microsoft has not provided a simple way to understand the complexities of securing O365 services. Each application has its own unique settings interface and APIs. That lack of consistency and diversity of interfaces adds to the complexity where many security teams just give up, shrugging their shoulders and saying to themselves, “It’s Microsoft, they’re obviously going to help me secure my stuff… right?”

Microsoft Can’t Care About Every Customer’s Security Capabilities

What this incident proves is that Microsoft has created a service that attempts to serve as broad of a market as possible.  In doing so, the default configuration is set to focus on ease-of-use and not confidentiality and integrity of the data stored within the system. Microsoft doesn’t have the time or resources to create customized security configurations for each customer.  Organizations have been left on their own to deal with the poor security default settings, and most do not have the expertise to invest in the appropriate compensating controls to help solve the default security gaps.

What does it mean for those that rely on Microsoft?

Organizations that are concerned with sophisticated adversaries should start planning to diversify their communications, collaboration and identity toolsets.  Moving towards a model where encryption keys, identity services and communications channels don’t rely on Microsoft’s O365 core services will be critical.

While the Treasury and Commerce incidents point to Confidentiality and Integrity problems with O365, we have also seen months of Availability issues which have disrupted businesses since March of this year. Combining the impacts of all three security tenets, organizations would be well advised to begin diversifying away from Microsoft services for critical business functions as more incidents are bound to follow.

Things we should worry about… that maybe we weren’t thinking of

As I wrote about in January of this year for IANS Research, SaaS application’s reliance on SSL/TLS to secure communications is a fundamentally flawed design concept for organizations which have access to sensitive information.  With a relatively simple browser exploit, an attacker could inject a root of trust into a user’s system which could allow an attacker to intercept and manipulate all data heading to cloud services such as O365.

Organizations should begin to understand the scale and scope of how bad actors can manipulate SaaS network connections, especially in the current Work from Anywhere environment.

Key actions that technology leadership should be taking immediately:

  • Develop a technology diversification plan that provides for separation of duties and capabilities to assure that should one cloud provider be compromised (like Microsoft), it doesn’t lead to the complete compromise of the organization.
  • Deploy technologies which allow for true separation of duties and privileges to restrict access to sensitive information and protect against sophisticated attackers’ abuse of legacy security and encryption features like SSL and outdated identity protocols.
  • Create rapid-deployment plans for communications platforms which do not rely on back-end systems outside of the organizations’ control, allowing for security teams to communicate through channels which are not compromised along with the rest of the enterprise

How HighSide Can Help

  • The move to cloud-delivered, transformative communications applications does not necessarily mean giving up the ability to secure and monitor critical business communications.
  • HighSide has spent the last 5 years developing the world’s most-resilient identity and communications security protocols. By building a system from scratch which doesn’t suffer from legacy security problems like those in SSL, HighSide’s users can count on true secrecy of their communications and the highest integrity of user identities.
  • For organizations which need specific guidance on how to avoid suffering from the problems that Treasury and Commerce are dealing with now, contact HighSide to help build a customized deployment plan to protect your information in ways that Microsoft never can.

Take 30 minutes and see for yourself how HighSide is revolutionizing data security, collaboration and data access control.