Early ships had a single continuous and connected hull. Easier to build, but easy to sink as a breach of the hull filled all of it with water. Multiple watertight hull compartments made ships safer, and a vessel could be made virtually unsinkable if it were divided into enough small compartments. What’s that got to do with Solar WInds and Office 365?
Microsoft released a fascinating tech note on the impact of the Solar Winds breach titled “Using Microsoft 365 Defender to protect against Solorigate.” According to that tech note, the hacker fans out from a single compromised Windows device in an organization as follows:
- Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device
- Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods:
- Stealing the SAML signing certificate (Path 1)
- Adding to or modifying existing federation trust (Path 2)
- Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud
Item 3 above grants the hacker access to Office 365, Azure AD, MCAS and beyond. In short, if the organization is a “Microsoft shop,” it is guaranteed to be breached end-to-end.
Enterprises that favor Microsoft security infrastructure are essentially ships with a single connected hull. A hole in one place ensures the ship sinks. In contrast, enterprises that use independent IdP, CASB, Malware protection etc, have hull compartments to ensure that a leak in one compartment does not sink the ship, so to speak.
Learn more about best practices for protecting against Ransomware and Malware in the distributed enterprise.