Microsoft Adopted an 'Aggressive' Strategy for Sharing SolarWinds Attack Intel

Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance, explains the company's approach to keeping its customers and the industry apprised and updated on its findings from the now-infamous attack.

Kelly Sheridan, Former Senior Editor, Dark Reading

March 5, 2021

7 Min Read

In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat. That role has evolved as attacks grow more complex - and it presents a tricky challenge when a provider must keep businesses informed of an attack that has infiltrated its own walls and affected tens of thousands of its customers, as Microsoft experienced during the recent SolarWinds incident.

"A lot of the way it [the role] has changed is in the face of ever-increasing complexity and impact," says Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance.

Microsoft faced this precise challenge a few months ago, following the major supply chain attack that initially targeted SolarWinds and distributed a backdoor Trojan to some 18,000 organizations via infected software updates. Microsoft was one of thousands affected by the tainted updates; using their access, the attackers were able to view some of its source code.

The company took steps to remediate the internal accounts that were used to view source code "in a number of code repositories." While security experts pointed out that this access could make some steps easier for attackers, Microsoft maintained that there was no increase in risk. The company has since reported there is no evidence that attackers gained extensive access to services or user data. 

Many across the industry refer to this incident as "the SolarWinds attack"; however, it's worth noting many victims didn't use SolarWinds at all. The same nation-state behind the malicious SolarWinds Orion updates infiltrated other organizations through their Microsoft 365 and Azure accounts. Malwarebytes also was a victim of this attack vector; Microsoft had alerted the security company to suspicious activity. 

"We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments," officials said in a blog post on the attack.

It's one of many attacks to take advantage of Microsoft applications: criminals have begun to target Microsoft 365 accounts as quickly as businesses adopt the platform. And as security pros point out, many of tactics could be avoided by simply turning on features built into Office 365 Enterprise plans – the problem is, attackers seem to know the suite better than defenders do. Some are abusing features that IT admins don't know exist.

As Microsoft investigated the extent of this attack on its own internal systems, researchers had the added responsibility of sharing intelligence that could be helpful to other organizations who may have also been infected. This took the form of more than a dozen blog posts in which internal Microsoft analysts published information about the SolarWinds attack as they learned it.

"We had a … pretty aggressive all-hands-on-deck approach of, 'We're going to take all the information that we get and make it digestible and publish it on our blog and share that," Lefferts says. 

The company last week released a free tool businesses can use to check their software for signs of the SolarWinds attack – the same queries Microsoft used to discover the malware in its own code. Prior to that, it released information it discovered on how attackers activated a second stage payload. Its latest blog post, published this week, details three new types of malware being used in late-stage activity by the threat it now refers to as "Nobelium."

Threat intelligence-sharing following an attack isn't new for Microsoft or other large IT providers, but this attack marked "a difference in scale" for its response, Lefferts points out. The size and complexity of the SolarWinds incident meant analysts had to take a deep dive into threat data, learn what was happening, make it accessible, and share it with other organizations.

"The reason that SolarWinds might've felt a little different was because of the amount of information and the gravity and significance of it for the industry," he explains, adding that "we went all the way from overview material to 'here's the query, go hunt for this in your environment,' and [businesses] were really able to take advantage of that." 

In addition to amplifying the amount of information Microsoft shared, this incident amplified businesses' concerns and questions around security posture. Lefferts says he has had more conversations about identity, and security assertion markup language (SAML), in particular, after the attack. Many are also understandably worried about how to detect and respond to this type of attack; however, oftentimes they're more worried about one than the other.

"Sometimes the way these events happen causes people to get excited about 'I just need better detection after the fact,'" he explains, and they don't think enough about preventing successful attacks in the first place. Some are preoccupied with detection but fail to think about response.

On a broader level, Lefferts says a component of enterprise education is building tools that can help information security teams do their jobs as security threats grow in size and complexity.

"There's this scale problem that's sort of endemic to technology – but thinking about security in particular, there's this real need to make sure that we directly help people because it is hard to hire and train the expertise that they need," he adds.

As an example, Lefferts describes Microsoft 365 Defender Threat Analytics, released this week in public preview. The tool is a set of reports meant to give security teams multiple perspectives on what's going on in their environment, as well as steps they should take to address incidents that arise. 

"Security is the number one concern IT leaders and CIOs have when they move to the cloud," says Sid Nag, vice president in Gartner's Technology and Service Provider Group, referencing a Gartner study. Many organizations have "full faith" in their cloud providers to address security, putting pressure on providers like Microsoft to strengthen their focus on it.

The pressure increases as more organizations move toward multi-cloud environments, he continues. As more businesses use multiple clouds at the same time, it calls into questioin how their security model is transposed across different cloud estates. Nag says the onus is on cloud providers, not business customers, to determine the right approach and offer solutions that companies need.

"The reality is that cloud is ... a journey for most organizations," Nag explains. "There's plenty of workloads and applications that are still sitting on prem that have not been moved to the cloud. As these workloads, especially the complex ones, move to the cloud, the challenges arise." 

Cross-Industry Collaboration Can Drive Education

A key lesson learned in the aftermath of SolarWinds was the importance of the security industry working together to share information on threats in a broader effort to educate businesses and the public – a point Microsoft president Brad Smith emphasized in his written testimony for last week's Senate hearing on the SolarWinds incident.

"Today, too many cyberattack victims keep information to themselves," Smith wrote. "We will not solve this problem through silence. It's imperative for the nation that we encourage and sometimes even require better information-sharing about cyberattacks."

Smith pointed out how the reason organizations know of this attack is because FireEye, which first detected the activity, was open about what it found in its systems. Without this level of transparency, he said, "we would likely still be unaware of this campaign." In his testimony, Smith called for a national strategy to improve how threat intelligence is shared across the security community, as well as the need for clear disclosure requirements in the private sector.

"There's some places I do feel that it's important for the security industry to take a step back and think about how this [attack] impacts the work that we do," Lefferts says. "Most of the conclusions we have drawn have been to accelerate things that we were already working on"

One of these projects was the implementation of zero trust, especially in a work-from-home environment, as well as new technologies like extended detection and response (XDR), which provides businesses with visibility across their endpoints, network, and cloud environments, he adds.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights