S1 EP. 16: Attackers bypass MFA, U.S. Gov’t Goes After Russian Hackers in Microsoft Case, Google Next Highlights - podcast episode cover

S1 EP. 16: Attackers bypass MFA, U.S. Gov’t Goes After Russian Hackers in Microsoft Case, Google Next Highlights

Apr 16, 202424 minEp. 16
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

Navigating the Complex Landscape of IT Security: MFA, Russian Hackers, and Google's Innovation

This video explores the current state of enterprise IT security, emphasizing the widespread adoption of multi-factor authentication (MFA) and its vulnerabilities, including MFA fatigue, SIM swapping, and session cookie theft. It discusses a recent emergency directive by CISA in response to Russian hackers stealing sensitive correspondence from Microsoft, underlining the importance of immediate action by federal agencies to secure their systems. Additionally, the video highlights announcements from the Google Next Conference, particularly focusing on the new AI-driven cybersecurity solutions like Gemini for cloud and cybersecurity, AI assistance in coding, and advancements in AI-powered threat defense, demonstrating Google's commitment to enhancing data privacy and security in the face of increasing cyber threats.

00:00 Breaking News: Russian Hackers Target Microsoft
00:00 Introduction
00:48 Welcome to the State of Enterprise IT Security Edition
01:52 Growing Challenges with Multi-Factor Authentication (MFA)
09:11 U.S. Government on High Alert: Russian Hackers Steal Sensitive Data
16:15 Innovations and Security Insights from Google Next Conference
23:16 Closing Thoughts on Enterprise IT Security

Transcript

Introduction

On Thursday, they issued a emergency directive mandating that all federal agencies immediately hunt for signs of a known Russian APT that broke into Microsoft's corporate network. And then it, they pivoted to steal some sensitive correspondence from us. Government agencies. And this directive comes, I think it's a little less than three months after Microsoft confirmed that attackers also stole source code from them. And here's the thing.

They think that this group might still be poking around in their internal system.

Welcome to the State of Enterprise IT Security Edition

Hey everybody. I'm Brad Bussie, chief information security officer here at e360. Thank you for joining me for the State of Enterprise IT Security Edition. This is the show that makes IT security approachable and actionable for technology leaders. I'm happy to bring you three topics this week. The first, as MFA, which is multi factor authentication, adoption grows, so do MFA bypasses. Second, U. S. government on high alert as Russian hackers steal critical correspondence from Microsoft.

And third, announcements from Google Next Conference. So with that, let's get started.

Growing Challenges with Multi-Factor Authentication (MFA)

Now, first topic of today as MFA adoption grows, so do MFA bypasses. So multi factor authentication MFA is really now, a mandate for most organization and accounts. You need it. To get things like cyber insurance policies for an organization. And it's even part of a presidential executive order. And it's interesting because just as all of this is starting to get enforced in organizations. Attackers are now finding a way to bypass it.

So what I thought I'd do is talk a little bit about how attackers are bypassing MFA and some of the things that you can do, not just as a user, but as a cyber professional or an IT person in your organization. So one of the first styles of attacks when it comes to MFA Is what's called M. F. A. Fatigue. And this is where a threat actor essentially peppers a target user with alerts just to confirm authentication. And what they're hoping for is somebody is just going to get tired of it and approve.

The authentication request. And this actually does happen because the user starts to think, well, maybe the issue is on my side. Maybe my, my email needs some kind of authentication or one of my applications is freaking out. And if I approve it, it'll stop. And interestingly, if you do approve it, it does stop. But the reason it stops is someone now has that token or that six digits or just the push authentication, which then gives them access.

So what's what's interesting here is that Apple has seen the style of attacks, but it took it one step further. Not only was the user getting peppered with all of these requests, The user then got a phone call from someone that was pretending to be Apple support and said, Hey, there's a problem with your account. We need you to read us the six digit code that just popped up.

Yes. We understand there was like thousands of them all of a sudden, but that last one, why don't you go ahead and read it to us and then we can fix it. So not only are we talking about MFA to fatigue, but we're also talking about social engineering. To a certain extent, and Microsoft has gone on record saying that they see somewhere in the realm of 6, 000 MFA fatigue requests every day in their organization.

So people are targeting Microsoft and just think of that 6, 000 of these a day for just one organization. A second way that MFA is, is having some challenges is with what's called SIM swapping. So inside of a phone or device, you have a SIM card and there are ways of cloning a SIM card without it even leaving your device. So if you're interested in that, there's a whole bunch of information on how to do that. Please don't. , and if you're, if you're trying to do it for nefarious purposes.

Really don't because it's, it's a bit of a challenge for cyber professionals because. A lot of users, they don't want to use an MFA app. They don't want to use a token app. They don't want to use something like that. So what's the next best thing? Well, you get a text message. Now, if I've cloned your SIM card, guess what's going to happen when a text message goes out? I'm going to get that as the attacker. So then I've got the code and then I can go on and continue to.

attack you, take over your email, move laterally, all that bad stuff. Third way that MFA is having some challenges is around what's called session cookie theft. And that is where a threat actor will Swipe, what's, I mean, I like to call it the browser's hall pass, and that is the session cookie and it's just a stored string of characters that allows for, think of it as like re entry into an application or system without re entering a password.

So essentially all the good stuff like, Hey, I knew who this person is. They are who they say they are. They're coming from a device that says that it is what it is. We verified that we don't need to necessarily check that again for 30 minutes. So then it creates one of these, session cookies. It's just kind of how applications work in a zero trust environment. It actually would check each authentication and authorization request. So this kind of theft doesn't really happen.

Most organizations still are, are implementing zero trust. It's not fully there. So. This one is a bad one. This actually impacted Okta back in October of 2023. And that's how some of their customers got compromised. Now, probably the more useful thing, when it comes to this is what, what can you actually do about it? So when it comes to cookie theft, one of the best things you can do is just shorten the amount of time that a cookie is valid before it expires.

Some applications, it's like 90 minutes, some are days, others are minutes. And those are the types of applications that I like, is just kind of limit how long that cookie's alive. The, I would say the, the gold standard, and this is something that comes from CISA, and you hear me talk about CISA pretty often, and that really is focusing on protecting multi factor overall, and that's creating a phishing, resistant MFA.

And this is using like a smart card, a, what we call a Fido security key, where only the key owner has access to their device. So think of it as something you have, something you know, and then take it one step further with something you are, your face, your fingerprint, things like that. And really even a one time code. Sent to a phone is, is not bad. It's not the worst way to authenticate. And I would say any MFA is better than no MFA at all.

U.S. Government on High Alert: Russian Hackers Steal Sensitive Data

But I would say, because of some of the things that we talked about, just making sure that we have another factor of authentication for the important things, that's, that's where I would be angling for second thing that I wanted to talk about today is the U S cybersecurity agency.

CISA, again, on Thursday, they issued a emergency directive mandating that all federal agencies immediately hunt for signs of a known Russian APT that broke into Microsoft's corporate network, and then they pivoted to steal some sensitive correspondence from U. S. Agencies. Government agencies and this directive comes, I think it's a little less than three months after Microsoft confirmed that attackers also stole source code from them.

And here's the thing, they think that this group might still be poking around in their internal systems. And you've heard me say this on a previous podcast, I don't like to say the name of the attacker group because I feel that it gives them notoriety and some power. So I'm not going to do it. So if you want to know who they are, you can, you can look up the, the actual breach from three months ago. And read more about this hacker.

So according to the directive from CISA, federal agencies, they need to analyze the content of exfiltrated emails and reset any compromised credentials. and take additional steps to ensure that authentication tools for privileged Microsoft Azure accounts are secure. So what they're, what they're saying here is anytime that you think you've been part of a breach, or you've been notified that you are part of a breach, one of the first things you should do is go and reset compromise credentials.

I say, take it a step further, reset everything. So if you get one of those letters in the mail that says, Oh, sorry. You know, someone, someone went through our systems and they now have your username, password, blah, blah, all that kind of stuff. Here's your free credit monitor. Thank you. Great. Take your credit monitoring, but then go and cycle all of your usernames and passwords. Especially. I know some of you are going to kind of go, Oh, that's me.

If you are using variations of the same password on all of your different websites, accounts, anything like that. And for those of you that use the same. Password for everything. I don't even know what the word I'm going to use is. How about don't and, try a password manager because if, if you don't have the time to remember and change and do variations, it does all that for you. And you can find free ones. It's definitely better than what you're doing now.

So when it comes to the compromise of the Microsoft system, A lot of it was the corporate email accounts, and there was that X fill of correspondence between government agencies and Microsoft, and that's where the real concern happens is that since this is a Russian attacker, they are looking at this from the government standpoint, the different agencies that are communicating with Microsoft, and it's and it's kind of working its way out as a blast radius. So that's what we're really.

Concerned about that's what sysa is concerned about, and that is what Microsoft is concerned about now. Microsoft has represented to sysa that for the subset of affected agencies whose emails perhaps contained. Things like authentication secrets, that would be like credentials or passwords, why that was in there. I don't know, but it, it happened. They, Microsoft said that they'll provide metadata for those agencies. And what that means is they can take that metadata and see.

what the impact looks like in their systems. So a lot of this is for the agencies that are impacted, but I think this is just an interesting story because it goes to show even large organizations continue to struggle with this. And the larger the org, it seems like the more that they're being attacked, especially by well funded nation States.

So Microsoft, after providing this metadata, they are basically saying that because this was a professional hacking team that used not, not like an old style of attack, but it's a common style, which is a password spray to compromise compromise. A legacy non production test tenant, and that's how they gain their foothold. So just keep this in mind when, when you're thinking about, well, how did these attacks continue to happen?

We've got, you know, multi factor authentication, which we just talked about. We've got all of these hardened systems. We have all of these things. A lot of the time, the challenge comes from tech debt. It's these old systems that someone still needs for some reason. You can't turn them off. You can't change the password. You can't even look at the system wrong or it crashes and next thing you know, you've got a bunch of people that are unable to work.

So when it comes to those types of systems, we need to wrap some additional layers and controls around them, because if they're still being used, even in development, this is a great example. Of you can still establish a foothold in some systems because developers, system admins, engineers, sometimes we create these backdoors into systems just for us, it's just meant for us. But next thing you know, somebody else is using that type of a, um, backdoor to get into other systems.

So if you're creating something just for you to use in your application, your systems, your network. I'm going to bet money that somebody else is going to find and use that. So I would recommend a don't create it B if you are creating it during development, document it and make 100 percent sure that it is no longer accessible.

Innovations and Security Insights from Google Next Conference

Third topic for today is the Google Next conference, which I recently attended, and I got to learn a third of a lot about some of the new solutions, products and features. So one of the interesting things was Gemini for cloud and cyber security. So many of you probably remember the experiment by Google, which was known as BARD. Well, BARD. Was powered by a large language model, Gen AI, and the name that it's going by now is Gemini. So Bard is gone. You can still type bard. google. com.

It'll take you to Gemini. Same good stuff. I'm not going to say same. Better stuff. A lot better. More to the large language model now. So I attended the conference. It was full of innovative solutions. I mean, I walked the show floor and I, this is kind of funny. I had an AI scan my face and then tell me what job I'm most likely to have. And apparently it thinks I should have been a firefighter, an astronaut. Or a journalist. I think that was a bit of a range, but, but I'll allow it.

I think it's, it missed the mark a little bit. I mean, it, it did skip cybersecurity professional, but Hey, I think, you know, they're still training the model. So it's not perfect yet, but Google introduced a bunch of new features that provide AI assistance to help customers. Work code, identify and resolve security threats. And what I found also interesting is they've expanded access to some of the general AI models, and they introduced something called an AI hypercomputer.

and AI powered workspace features as part of their enterprise offering. So starting from this conference, they, they, Google is upgrading some of the features like we'll call it Gemini code assist, and that can generate and test code for developers, which is, which is pretty exciting. And then they're Also providing some more AI driven tools to help security operations.

So this really is helping an organization spot threats and summarize the intelligence that's been discovered and, or fed into the system. And then I like take action. Against the threat and or attack. So Gemini has a threat Intel component. Now it's in preview, but it's still functional, which, which, which I definitely like it uses natural language to deliver. Think of it as like a deeper insight about how threat actors actually behave.

And I think what's useful about this is that it does use that natural language. There's a pretty large context window that enables. Anybody to analyze bigger and bigger samples of potentially malicious content. And that can be code that can be a bunch of different things, and it just gives you better results. I, one of the things that I, that I liked that I saw as some, some good value AI security add on, and that's really looking at data, privacy and security.

Because those continue to be top of mind for me, top of mind for you. And with Gen AI really taking center stage, what's interesting is data breaches, they increased 20%. Last year, and I think the bigger that GenAI gets, we're going to start seeing more and more breaches because as you've heard me talk about previously, if you haven't done data governance correctly, the biggest insider threat you can introduce into your organization is. Generative AI.

It is this large language model because the model is just going to do what it's been primed to do what it's learned to do. And in some cases, you're going to ask it a question. What's its job? It's going to go get you the answer to that question. It doesn't know if it's necessarily supposed to have access to that information if it does have access to it. It's going to pull it back and it's going to give it to you. And if you have users that are giving PII or information to these gen AIs and.

It's, it's not supposed to go out. Well, it doesn't know that it's not supposed to go out. So we're needing to wrap more and more security controls around this. And this is what Google has identified. So they're starting to add more components to their security suite to help with all of the things.

That, that I just talked about and they are starting to weave Gemini into, Gmail into workspace and they're bringing the whole zero trust principles into augmenting Gemini and helping to deliver AI powered threat defense. And I look at this as, you know, our job in security, it's, it's never done. And with the way that the market is innovating, really, I love organizations that are focused on helping to keep us third topic helping to keep our data safe.

And I think when you look at some of the neat things that Google's doing, things like, you know, extending DLP controls, allowing classification labels into Gmail, they're, you know, they're not the only ones doing this, but I just was drinking a whole lot of, of Google Kool Aid over the past week. And I walked away from the experience. Really, really happy with a lot of the security things that I'm starting to see, get woven into that, that whole suite.

Closing Thoughts on Enterprise IT Security

So thank you for joining me and I look forward to next time on the state of enterprise, it security edition.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android