Solar Winds, Office 365 & Shipbuilding…

ship hull

Early ships had a single continuous and connected hull. Easier to build, but easy to sink as a breach of the hull filled all of it with water. Multiple watertight hull compartments made ships safer, and a vessel could be made virtually unsinkable if it were divided into enough small compartments.  What’s that got to do with Solar WInds and Office 365?

 

Microsoft released a fascinating tech note on the impact of the Solar Winds breach titled “Using Microsoft 365 Defender to protect against Solorigate.”   According to that tech note, the hacker fans out from a single compromised Windows device in an organization as follows:

  1. Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device
  2. Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods:
    1. Stealing the SAML signing certificate (Path 1)
    2. Adding to or modifying existing federation trust (Path 2)
  3. Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud

Item 3 above grants the hacker access to Office 365, Azure AD, MCAS and beyond.  In short, if the organization is a “Microsoft shop,” it is guaranteed to be breached end-to-end. 

Enterprises that favor Microsoft security infrastructure are essentially ships with a single connected hull.  A hole in one place ensures the ship sinks.  In contrast, enterprises that use independent IdP, CASB, Malware protection etc, have hull compartments to ensure that a leak in one compartment does not sink the ship, so to speak.

Learn more about best practices for protecting against Ransomware and Malware in the distributed enterprise.

Download Now

 

 

*** This is a Security Bloggers Network syndicated blog from Bitglass Blog authored by Nat Kausik. Read the original post at: https://www.bitglass.com/blog/solar-winds-office-365-shipbuilding