Microsoft is reportedly investigating whether hackers who have been abusing a series of Microsoft Exchange bugs managed to obtain sensitive information about the vulnerabilities after Microsoft privately shared certain details, including proof-of-concept exploit code, with various security partners.
It’s possible that one of these partners accidentally or intentionally leaked details to additional entities, until key details somehow fell into the hands of attackers, according to a report by Wall Street Journal report on Monday. Whether this scenario bears out as true or not, the story leads to a number of interesting questions regarding how companies determine which partners to share sensitive bug info with and which ones to exclude from that intel because the risks outweigh the benefits. Also, if a business partner did leak the critical information, what should be the consequences?
According to experts, mistakes can happen during the information-sharing process.
"Usually, if something goes wrong, it’s either due to human error or because there is a mismatch in expectations over how to handle the information," said Michael Daniel, president and CEO of the Cyber Threat Alliance (CTA). "For example, one side thinks the information can be shared more broadly within their organization; the other thought it would be restricted to specific individuals.
Sometimes a leak doesn't even have to result from a direct communication. Curtis Dukes, executive vice president, security best practices, at the Center for Internet Security (CIS), wondered if was possible that a security partner could have responded to the intel too quickly and too overtly, indirectly tipping off observant malicious actors through the "early release of protection measures within their product."
The four Exchange bugs were first exploited last January, with a second wave of attacks beginning on Feb. 28 and exploding in volume by March. According to sources, adversaries during the second wave leveraged automated scanning capabilities in order to identify Exchange users who were vulnerable to the exploit. The number of hacks at first were limited, but once Microsoft made the zero-days public on March 2 and issued emergency patches, malicious actors implemented a script that enabled them to launch a massive automated hack.
According to the WSJ, some of the tools used in the second-wave attack bear similarities to to proof-of-concept attack code that Microsoft had shared with certain antivirus companies and other security partners back on Feb. 23 through an information program called the Microsoft Active Protections Program, or MAPP.
But even if hackers caught wind of the exploit through information sharing, and/or expedited their attacks because of it, Dukes believes the MAPP tool its too vital to stop using it, as it provides a quick and efficient means for software vendors to update their tools and protect their customers.
“It’s a difficult choice, but in my opinion, [but] Microsoft acted responsibility by providing vulnerability details to vetted companies at the earliest opportunity," said Dukes. "I believe you want to err on the side of information disclosure to quickly provide protective measures against the vulnerability.”
If there were ever an organization that was to espouse the benefits of information sharing, surely an ISAC would be it. Indeed, Scott C. Algeier, executive director at the Information Technology - Information Sharing and Analysis Center, IT-ISAC, called info-sharing an “essential component of sound cybersecurity risk management.”
“Effective sharing enables organizations to identify and remediate attacks and to analyze and fix vulnerabilities," said Algeier. "We need to do all we can to continue to create a culture that promotes and rewards information sharing. Information about unpatched vulnerabilities is among the most sensitive information that is shared. If an adversary learns of the vulnerability before a fix can be applied, end-users are put at great risk. Coordinating the disclosure of vulnerabilities across companies and with security researchers is a common practice.”
However, that doesn’t mean that organizations can’t be judicious with whom they share intel. such decisions should operate on a need to know basis, said Bugcrowd founder and CTO Casey Ellis.
“A few areas that companies should consider before determining which partners to share sensitive information with are: evaluating how useful sharing the information is [and] the benefit to the defense of the internet," Ellis told SC Media. From a risk standpoint, these same organizations should also be “assessing how safe a partner’s data handling practices are and gauging to see if there are any conflicts of interest from a security or national security standpoint,” he continued.
This value vs. risk equation varies per partner and can change as time goes on. “Cyber risk is dynamic by nature, and policies around these sorts of decisions are always going to need updating as the environment changes and evolves," Ellis said.
Daniel there are three areas to be considered when participating in info-sharing programs like MAPP: relevance, capability, and trust.
"Relevance means whether the information provides some value to the receiving party. Relevance is not a static concept; it can change depending on the situation... Capability means the receiving entity can act upon the information in some manner, whether to protect their own systems or to protect other organizations’ systems... Finally, trust means that the sharing entity believes that the receiving entities will properly protect the information and use it appropriately."
But when assessing risk and trust, should organizations factor in the country in which info-sharing partners are based?
Consider this: Microsoft reportedly uses the MAPP program to communicate with about 80 security companies worldwide, including 10 based in China. This is potentially significant because Microsoft Exchange attacks have been linked to the reputed Chinese APT actor Hafnium, as have several other China-linked groups. (Earlier this month it was reported that at least 10 different groups at this point have been found to exploit the flaws.)
Ellis acknowledged that the "fluid state of global politics makes it necessary" to vet the location of a security partner. However, it "may introduce more prejudice than good." For that reason, experts said that geographic location should never be the sole factor in determining whether a company gains access or not.
Indeed, Ellis noted that benevolent researchers are everywhere. “It's useful to acknowledge that the vulnerabilities that are shared by programs like MAPP come in as a product of good-faith hacking from all around the world," he said. "The fact is that cyber risk doesn't acknowledge national boundaries, and the approach of engaging the global white hat community to counteract the capability of the global adversary is a logical way to level the playing field."
"The reason that it matters that companies are located in Russia or China is not because individuals in those companies cannot be trusted. It’s because the legal regimes of those countries require a company to give the government whatever information the government wants," said Daniel. "Thus, the legal regimes of different locations can have a bearing on whether you share with a particular partner."
If a company decides it is worth sharing key exploit information with another organization, the next advisable step is to clearly communicate expectations up front about how intelligence must be handled.
"If a group establishes clear guidelines and rules for how it will share information and how it expects members to behave, the less likely leaks are to occur," said Daniel.
Ellis suggested that companies may want to consider adopting a process similar to the U.S. Cybersecurity and Infrastructure Security Agency and Department of Homeland Security’s Traffic Light Protocol, which advises recipients on the level of discretion they must treat alerts. “It serves as a national frame of reference to help companies determine protocols for handling the sharing of sensitive information,” he said.
Algerier did not comment on the Microsoft's specific situation, but he did share how the IT-ISAC handles its own internal communications of network security intel.
“Companies share information about attacks they are seeing, collaborate on joint analysis, and share effective mitigation strategies," said Algerier. "We maintain our trust model through an established process for vetting members, by developing individual relationships with our members and through an enforceable Member Agreement that has repercussions on companies who violate it. It has been an effective model for us."
Algerier did acknowledge that leaks can be damaging for both the affected companies and the community at large. "The prospect of long-term exclusion from trusted forums serves as an added incentive for companies to respect confidentiality," he said.
Ellis agreed that there should be consequences if a company violates sensitive information. "Companies should be ejected unless there is a very clear mitigating reason categorizing the leak as an exception,” he asserted. “A chilling effect from this is an obvious potential downside, but this needs to be weighed against the larger downside of information leakage which puts the public at imminent risk.”
"The consequences should depend on the circumstances and the nature of the agreements in the sharing program," said Daniel. "An inadvertent action or human error should be treated differently than a deliberate violation of trust. Certainly, in some situations, it could be appropriate to eject an entity from the sharing group, but that should be up to the group."
A Microsoft spokesperson offered comments on the Exchange attacks and the investigation into a possible MAPP partner leak.
“We are looking at what might have caused the spike of malicious activity and have not yet drawn any conclusions. We have seen no indications of a leak from Microsoft related to this attack,” said the spokesperson. “The MAPP program is used successfully ahead of every Update Tuesday cycle. If it turns out that a MAPP partner was the source of a leak, they would face consequences for breaking the terms of participation in the program.”