By Chris Reid, Cybersecurity Strategist
Microsoft Security Incident by ‘Storm-0558’: What Happened?
So, you may have heard that Microsoft has had a couple of security incidents recently. With threats and cyberattacks continually growing in sophistication and sheer numbers, no organization is completely immune, but there are ways to harden your environment. In this blog, we will examine the incident attributed to the China-backed threat actor known as Storm-0558 and look at ways to mitigate your risk.
First, let’s break down what Microsoft has released.
- Microsoft got hacked. They believe it was the China-backed threat actor identified as Storm-0558.
- Storm-0558 “acquired” an MSA key and used it to forge authentications to access email accounts.
- Microsoft deactivated the stolen key, revoked it, and replaced it with a new one.
- According to Microsoft, the vulnerability situation is now 100% resolved, so no additional action is needed. Microsoft is proactively communicating the situation in the interest of transparency.
Great! They told us what happened, and they fixed it… you know, what each of our organizations should be doing. Sure, Microsoft has almost unlimited money and resources to find and remediate these issues, but that doesn’t mean they are the only ones who can do it. Let’s look at some processes that probably happened behind the scenes to show that anyone can resolve these problems.
Microsoft more than likely has a team of analysts monitoring for bad behavior day and night, and they probably saw something amiss. From there, it’s reported to a higher-level analyst for further investigation. Once they determine that it’s an active threat, a team of incident response specialists takes action to find the cause, where it came from, and assess the impact. If it meets a certain threshold, they announce it to the public. In this case, it was luckily just one bad actor (that we were told about) who found a vulnerability, exploited it, and then was discovered. Sounds easy enough, right? Well, it sure can be if you have the tools, the team, and the processes behind you.
What You Should Do To Protect Your Organization
This is where we need to talk about how you can do this same thing, even without Microsoft’s level of resources.
First, you need to have the right team behind you. This can be done either in-house or outsourced to an MDR vendor. Outsourcing is ideal because building a Security Operations Center (SOC), tooling the facility, and then hiring for it is REALLY expensive. There are many different levels of service and specialties, so why not just use a service where the work has already been done?
The second is that even though an MDR provider exists, you still need your own tools. This can be a combination of endpoint protection, email security, Identity and Access Management, SIEM, vulnerability scanning, and a whole host of other solutions. This is where MicroAge shines because the security world can be daunting. We know that not every organization has the funds for every shiny tool, so let us help you optimize and maximize the right toolset for your unique environment. MicroAge has the security resources trained to assist you in making the right decision to protect your organization.
Let’s be honest. At some point in time, every organization will have an incident; there is no getting around it. The best thing you can do for your users and your organization is to have the tools and the team in place to catch and stop an attack when that does happen.
Ensure Your Protection Today
“Chris Reid has over a decade of experience working with and for Information Security service providers. He has worked with businesses of all sizes and verticals, architecting security programs for all of them. He is a dedicated strategic advisor to his clients and takes pride in knowing they are seeing value in not only the services he recommends but also the products he supports.”
Chris ReidCybersecurity Strategist
