Written by Adam Koblentz
In a January 19 blog post, Microsoft revealed that Midnight Blizzard, a well-known Russian state-sponsored threat actor, successfully compromised the corporate email accounts of some of its most sensitive trusted identities, including senior executives and key cybersecurity and legal personnel.
While Microsoft responded to and disclosed the incident effectively and responsibly once it was discovered, it’s the latest example of how most organizations – including major identity and access management (IAM) providers like Microsoft and Okta – have a critical gap in their approach to identity security.
Let’s take a closer look at what happened, why it matters, and what lessons the industry can apply in an effort to defend against identity-based threats more effectively.
According to Microsoft, Midnight Blizzard, the Russian threat actor group best known for executing the infamous SolarWinds attack in 2020, used a password spraying attack to compromise an account on its non-production tenants. The group then used that account’s privileges to gain access to the production email accounts of numerous Microsoft trusted identities.
Password spraying is a type of brute-force account technique where the threat actors use the same set of common passwords against many accounts to avoid triggering threat detection rules or failed password lockout policies.
Microsoft believes that the initial breach occurred in late November 2023, suggesting that Midnight Blizzard had access for over a month before Microsoft detected it and responded. While this is a better-than-average time to detection, it was still plenty of time for a motivated threat actor to execute a systematic threat campaign.
In this case, Microsoft indicated that the campaign focus was on gaining intelligence about Microsoft’s research and defensive measures relating to Midnight Blizzard themselves. According to Microsoft, “there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”
The new ‘material’ world
While the confirmed impact of this breach is still unfolding, it nonetheless represented a “material breach” for Microsoft. Microsoft’s filing of a Form 8-K with the U.S. Securities and Exchange Commission (SEC) for this incident is a high-profile example of the new requirements that regulators are placing on companies to disclose cybersecurity breaches promptly.
In this case, the SEC introduced a new rule in 2023 for cybersecurity risk management, strategy, governance, and incident disclosure. It requires organizations that experience a material breach to notify the SEC with an 8-K filing within four business days of becoming aware of the event. In this context, the word “material” is carried over from other areas of SEC oversight and applied to cybersecurity. An incident is considered “material” if a reasonable investor would find the information important in deciding whether to buy, sell, or hold a security, or if it would otherwise alter the overall set of data they are considering when making financial decisions.
More stringent disclosure requirements like this mean that even timely detection of threats, which is challenging in its own right, is not enough. Security teams must have the ability to gain a deep and accurate understanding of the breach details and impact quickly in order to mitigate both financial and reputational damage.
Early indications suggest that Microsoft was very fortunate that Midnight Blizzard did not exploit their trusted account access more aggressively. However, compromised trusted identities are frequently used as a jumping off point for more for attack escalations such as:
- Moving laterally to other systems, applications, accounts, or network segments, in search of higher-level privileges or more sensitive data.
- Attempts to elevate privileges by exploiting system vulnerabilities, cracking passwords, or finding misconfigurations.
- Accessing sensitive data and exfiltrating it for various purposes, such as selling it on the dark web, using it for identity theft, or leveraging it for competitive advantage.
- Using a compromised account to disable security controls, making the network more vulnerable to future attacks and preventing the detection of their activities.
- Creating backdoors that will allow them to re-enter the network easily in the future, even if the original compromised account is secured.
- Using a compromised account to conduct additional phishing campaigns or other social engineering attacks against other employees, customers, or partners, leveraging the trust associated with the account to increase the chances of success.
The eventual business impacts of compromised trusted identities can be far-reaching, including financial loss, reputational damage, regulatory consequences, intellectual property leakage, higher cybersecurity insurance premiums, and more.
How traditional identity protection approaches are falling short
The elephant in the room with this latest breach is that Microsoft themselves, through their Azure Active Directory offering, are one of the companies that many enterprises turn to for the IAM capabilities they rely on to protect their trusted identities. This is in many ways a parallel to a breach that occurred at Okta, another widely used IAM platform, in October 2023. Okta’s incident was even more severe in that the threat actors were able to extend the attack to a subset of Okta’s customers.
Microsoft and Okta both have extensive identity security capabilities, as well as substantial knowledge and expertise about identity threats.
So how then did both companies fall victim to compromises of trusted identities?
The answer is that while most enterprises today have very sound preventative measures for identity security, including capable IAM platforms and best practices like multi-factor authentication, they are putting far too much faith in their effectiveness.
Even excellent IAM products, configured perfectly, will not stop 100 percent of identity-based attacks. Yet, most organizations implicitly trust authenticated users and do not have sufficient identity threat detection and response (ITDR) capabilities – post authentication – in place.
The industry is slow in waking up to this fact. For example, Gartner’s guidance as of more than a year ago was this:
“Conventional identity and access management and security preventive controls are insufficient to protect identity systems from attack. To enhance cyberattack preparedness, security and risk management leaders must add ITDR capabilities to their security infrastructure.”*
However, these recent breaches at Okta and Microsoft prove that even sophisticated organizations are still late to the party in this area.
The critical role of ITDR
When preventative identity security measures are circumvented successfully, ITDR provides a critical layer of detection, ensuring that:
- Malicious activity originating with trusted identities is detected quickly, before the threat actor can execute a more sophisticated, long-term campaign.
- Security teams have a detailed view of what happened, so they can execute a response and comply with mandated disclosure requirements in a timely and informed manner.
This isn’t trivial to do, since many of the techniques that threat actors use, including those used against Microsoft, are specifically designed to avoid detection by traditional rules-based detection methods or only work at the infrastructure level.
At Reveal Security, we overcome this challenge through a patented innovation we call Identity Journey Analytics™. It applies unsupervised machine learning to discover how human users with varying levels of privileges, as well as APIs, interact with applications. This allows us to establish precise baselines of normal behavior and quickly reveal any anomalies that indicate abuse of a trusted identity.
In the case of Microsoft, this technique would have acted as a powerful complement to their preventative IAM controls, detecting that trusted identities were being used in abnormal ways and accelerating time to detection and response. For example, our Identity Journey Analytics would have detected the initial reconnaissance of Microsoft’s production environment from a non-production tenant as anomalistic behavior. Subsequent activities during the campaign, such as a privileged user reading the emails of other users, would also have been detected.
Identity Journey Analytics is also effective at detecting other forms of trusted identity misuse, such as insider threats and third parties using APIs in suspicious ways.
Today’s reality is that while most organizations have made tremendous strides with identity security in recent years, detection of identity-based threats post authentication remains a critical gap. In fact, an estimated 86 percent of successful security breaches use stolen credentials.**
ITDR is the critical missing piece that will complete your identity security strategy.
* Source: “Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response,” Gartner, October 20, 2022.
**Source: “2023 Data Breach Investigations Report,” Verizon, June 6, 2023