Following an internal investigation, Microsoft, despite being an early target in the SolarWinds campaign, said none of its systems were used to attack others – a fact the company attributed to its zero trust mindset.
The probe also found no evidence of access to Microsoft’s production services or customer data, according to a blog post penned by Vasu Jakkal, Microsoft corporate vice president of security, compliance and identity.
The findings offer lessons for all companies on the benefits of the zero trust model, she added, saying that a transition from implicit trust to explicit verification requires "protecting identities, especially privileged user accounts.” Such an approach will prevent hackers from taking advantage of gaps, like weak passwords or lack of multifactor authentication, “to find their way into a system, elevate their status, and move laterally across the environments targeting email, source code, critical databases and more.”
That's what attackers did in what Microsoft refers to as Solorigate, using abandoned app accounts with no multi-factor authentication to access cloud administrative settings with high privilege.
Vectra Chief Technology Officer Oliver Tavakoli applauded Microsoft's endorsement of a zero trust architecture.
“Microsoft points out that organizations should go one step further by adopting it as a mindset – accept that all of the initial lines of defense can fail and that security controls need to be layered across all systems critical to an organization,” he said.
But Brandon Hoffman, chief information security officer at Netenrich, questioned the connection, noting that “from a certain perspective, it’s not clear that taking a zero trust stance would have prevented this issue.” Although, it potentially would have avoided some of the damage, he explained, “it’s not clear that zero trust would have prevented the initial attack vector.”
Indeed, advocating for a zero trust plan at first blush seems prudent, “but is misleading here,” since the incident “isn’t about a user who should not be trusted, it is about the sourcing itself,” said Dirk Schrader, global vice president at New Net Technologies. “And for this scenario, the user and the IT administration will be overwhelmed at end. At some stage, trust needs to be established to be operational, and with thousands of changes incurred to files and settings when rolling out a Microsoft patch day update, the IT administration would certainly not want to check each and every change.”
Jakkal also used the blog to announce Microsoft's decision to close the book on the investigation, a decision that is also receiving mixed reviews among researchers. Greenlight President Kevin Dunne said it "marks the first step in the process of the security community recovering from the Solorigate attack."
“More time to investigate who is accessing critical infrastructure, applications, and data will result in reduced time to detecting and remediating breaches, which are inevitable in today's zero trust world," he added.
Most productive would be “to divert our combined energies from anatomizing the last attack, to preventing the next one,” agreed Hitesh Sheth, CEO at Vectra. “The connected world will care little how we assign responsibility for SolarWinds if we do not collaborate on next-level threat detection to blunt the impact of future attacks.”
But Hoffman questions the decision, saying it conflicts with other messaging coming from Microsoft. Just Sunday, Microsoft president Brad Smith said in the news program “60 Minutes” that more than one thousand developers were likely involved in the code that enabled the attack, describing it as “the largest and most sophisticated attack the world has ever seen."
“As the incident response has continued, it seems they were finding more and more areas affected by the SolarWinds issue," he said. "The fact that the investigation has concluded rather suddenly is an interesting move.”
