In some ways, things haven’t changed: zero day compromises are still headline news. Last year, we saw numerous critical vulnerabilities with traditional infrastructure. On 2nd March 2021, Microsoft made public details of a vulnerability with Exchange servers which, according to Microsoft, had been exploited by the Chinese state-sponsored group, Hafnium. IT teams sprang into action patching servers, CISOs spent the week explaining in simple terms the nature of the threat; information security companies rushed to get the first blog out about the vulnerability and what to do and years of work hours were burnt across the world. On 9th December in the same year, we were hit by Log4J. According to The Washington Post, this was the ‘most serious’ security breach ever… as was Heartbleed in 2014 and many, many others. Possibly due to nostalgia, my favourites are Slammer and Blaster from halcyon days where cyber-crime was mostly SPAM and the odd pop-up.
For clarity, I am not implying that any of these vulnerabilities are not serious – they are. Thousands of engineers working throughout the night, prevented catastrophes around the world and helped us to keep moving forward. However, these are the highlights which hit the newspapers and are the superstars of cybercrime. In a world where Microsoft and Google are offering bug bounties in tens of thousand dollars, this is increasingly the domain of nation states and the mantra remains the same – patch everything as soon as you can.
However, your average cyber criminal no longer writes their own code. They are reliant on easy-to-use solutions such as Ransomware as a service (RaaS) to perform scams such as Business Email Compromise (BEC): BEC is a man-in-the-middle attack for email, where threat actors intercept emails and create fake conversations, normally to defraud one or other end of the email discussion. To give an idea on commercial implications, BEC yet again topped the highest cost crime in America, according to the FBI, at an estimated $2.4 billion in 2021. Similar to Hafnium, these attacks target email, however BEC very much prefers the Cloud server, Office 365, to traditional on-premise solutions. This is simply because it’s easier - there’s no need to hunt down your public mail server or try to copy how the login screen looks to dupe users - there is only one server – https://outlook.office.com and at first logon, it all looks the same.
That sounds bad news, I hear you say. Well, yes and no. Firstly, the actual server environment is likely to be considerably more secure than your traditional on-premise systems. Microsoft, for example, has spent and continues to spend, billions hardening its environment, carrying out continuous penetration tests and offering bug bounties to root out any flaws as soon as they are discovered. However, this is only half the story. The second half and the reason that cyber crime is so lucrative, is down to organisation’s configuration of Microsoft 365, possibly due to a lack of understanding of what Microsoft 365 actually is. When organisations move their email to ‘cloud’, there isn’t enough understanding that it isn’t just their mail which is being outsourced, but also the authentication process which underpins Microsoft 365. Traditional controls, such as reviewing transport rules to harden the environment and reduce the likelihood of being an open relay is a good action, yet this cannot be done in isolation - it is important to be aware that if you’re living in Microsoft 365, you need to think about the entire set of controls which you are using.
Where do we start, I hear you ask? Well, benchmarks such as CIS and Microsoft’s own Secure Score provide a holistic approach to hardening your environment, allowing organisations to use pre-defined frameworks to strengthen their environment. These are a great place to start and by applying good controls and reviewing them on a continuous basis, you’ll be able to lower the risk of being breached and limiting their impact if they occur.
Returning to the start of the conversation, for most organisations, your largest attack surface is your Microsoft 365 tenant: Whereas there is little that the vast majority of organisations can do against a nation state threat actor such as Hafnium, apart from patching systems as soon as possible, organisation can make it considerably hard for the large percentage of threat actors by taking advantage of the many controls available to them within Microsoft 365. Moreover, if we all play our part by hardening our environments, using benchmarks such as CIS and Microsoft Secure Score, we will not only benefit by reducing the likelihood of breaches, but also help the wider community, by limiting the potential revenue stream for cyber criminals; this, in turn, will lower the number of interested parties and allow those few organisations which do have the ability to address nation state actors to dedicate their attention to those larger threats.