On March 30, the US Cyber Safety Review Board (CSRB) released its review of the July 2023 Microsoft Exchange Online intrusion by the Chinese state group Storm-0558, blasting Microsoft for its shoddy security practices and saying the incident “was preventable and should never have occurred.”
The threat actor had compromised the Microsoft Exchange Online mailboxes of 22 organizations, including the US federal government, and over 500 individuals worldwide using authentication tokens signed by a key Microsoft had created in 2016.
It was the latest in a long line of damaging hacks by Storm-0558 spanning nearly two decades. The group’s history includes a 2009 campaign called Operation Aurora, that targeted over two dozen companies, including Google, and a 2011 incident in which the threat actor stole SecurID seeds generated by the RSA public key cryptosystem.
The 28-page report, the third investigation issued by the independent forum since its founding in 2022, found a “cascade” of Microsoft errors, including failure to detect the compromise of its “cryptographic crown jewels” on its own, subpar security practices in comparison to other cloud service providers (CSPs), issuing inaccurate statements about the incident, and failing to correct them promptly.
Recommendations offer cloud security roadmap
However, the board’s starkly worded findings about Microsoft have overshadowed the more hopeful part of its report, which is a series of recommendations on how to improve the security of cloud systems.
Aside from the four Microsoft-specific recommendations, the CSRB issued 21 recommendations on CSP cybersecurity practices, audit logging, digital identity standards, CSP transparency, victim notification processes, and security standards and compliance frameworks.
Collectively, these recommendations offer a roadmap for, if not averting similar cloud disasters in the future, then at least positioning CSPs and their customers to deal with these kinds of incidents in a better posture. Although each recommendation is heavily substantive and valuable, experts raise some of the more significant recommendations that CSPs should consider in the wake of the investigation.
Security industry response largely positive
Industry reaction to the report indicates that the CSRB is headed in the right direction, even if the report’s recommendations will take time to digest. “It’s a lot to consume,” James Campbell, CEO and Co-Founder of Cado Security, tells CSO. From Campbell’s perspective, one prominent takeaway “is gaining as much visibility as you can” when it comes to cloud environments.
A Microsoft spokesperson tells CSO the company is still reviewing the final report’s recommendations but says, “We appreciate the work of the CSRB to investigate the impact of well-resourced nation-state threat actors who operate continuously and without meaningful deterrence.”
“We thought the report was great,” Phil Venables, Google vice president and CISO of Google Cloud, tells CSO. “We welcomed the report. I think the CSRB did a good job on this.” Venables thinks that most of the report’s broader recommendations stem from Microsoft’s failures, which “were things that most of the other cloud providers already had controls to mitigate.”
“When you look at the broader recommendations, especially some of the more detailed recommendations, even though the report directs them at the entire industry, they’re clearly giving the remarks in other parts of the report directed at Microsoft,” Venable says.
The report does praise Google, AWS, and Oracle for adopting “a security architecture best suited to [their] technological infrastructure and customer use cases,” in contrast to Microsoft’s “corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
Emphasizing standards and security by design
The CSRB’s recommendations highlight the importance of standards in providing the security necessary to counter modern threat actors. It advocates that CSPs adopt digital identity security standards such as Open Authorization (OAuth) 2 Demonstrating Proof-of-Possession (DPoP), among other suggestions. The board also recommends updating the FedRAMP program, which the federal government adopted to promote secure cloud services across all departments and agencies.
“Generally speaking, we welcome more standards and prescriptions in technical security matters,” Venables says. “I think that’s because we implement many of those and spend a lot of time on secure by design and secure by default, and anything that improves the entire industry benefits us as well.” He adds, “I liked the recommendation in the CSRB report about more standards around identity and credential handling because that’s something that I think could be useful for customers.”
Royal Hansen, Google’s vice president of privacy, safety, and security engineering, tells CSO that incorporating standards at the outset is critical to security and aligns with Google’s emphasis on secure by design. “If you’re buying security aftermarket, I think you’ve already conceded at some level. And you’ve got to have partners who are secure by design, not relying on aftermarket band-aids to manage your risk.”
Audit logging is vital to CSP security
Following the Chinese hack of Microsoft Exchange, Microsoft faced intense criticism for not offering meaningful audit logging necessary for detecting compromises and conducting forensics at a pricing level that was within reach of many customers. The company subsequently expanded its cloud-logging accessibility for customers at no cost.
[ Related reading: US federal agencies get first crack at expanded Microsoft 365 logging capabilities ]
Noting that audit logging should be available for all types of critical business data stored by CSPs, the CSRB recommended that “CSPs, as part of a CISA-led task force, should define and adopt a minimum standard for default audit logging in cloud services,” with a minimum default of six months.
Cado Security’s Campbell says that “making sure I have all the right logging turned on across all my third-party service providers and feeding that into a central location” is the first step into attaining greater visibility over the cloud environment. But, he adds, there are questions about just how much logging should be free.
“This is probably a bit of a problem with the industry, where people don’t understand that there’s a shared responsibility model with cloud service providers when it comes to security,” Campbell says. “Many people don’t tend to fully understand what is the cloud service provider’s responsibility and what is yours, whether that be logging, security, et cetera. In a lot of cases, default logging tends to be quite minimal. It’s up to you as the user of those systems or the cloud service providers to go in and enable them all.”
Venables also highlights the importance of logging but likewise raises issues of cost. “Now, the thing that you’ve got to be careful about with this question [of logging costs] is the fees that companies charge to have the logs enabled,” he says. “We spent a lot of time ensuring that all the right security logs are available to customers without buying a premium service. However, if, say, a customer wanted to keep those logs forever, then obviously, we charge for that storage.”
Cloud providers must improve transparency, communication
The CSRB came down hard on Microsoft for allowing an erroneous blog post to remain uncorrected for many months, clouding transparency around the incident. The board also found fault in the fact that US government employees whose accounts had been compromised in the incident experienced delays in receiving notifications.
Consequently, the report recommended that cloud service providers improve transparency by notifying government agencies and enhancing victim notification processes. It even suggested establishing mobile device “Amber alerts.”
“At the end of the day, CSPs should notify their stakeholders and customers as issues are identified,” Campbell said. “If you have an appropriate response mechanism in place, and a big part of that is around communication, whether that be directly to customers or a government entity, you are going to be in a better position if you’re on the front foot of those responses and providing information.”
Venables says Google already has “very close threat and intelligence sharing practices with various government agencies domestically and in some cases internationally. We’re giving them information that helps them defend themselves as well as bring to light events and the activities of threat actors around the environment. So, we do a lot of that.”
However, questions surround the practicality of establishing a mobile alert system for notifying victims of compromise. Hansen points out that Google was at the forefront of notifying customers of nation-state attempts to hack email inboxes in 2009 but that the environment within which a customer operates should determine how such alerts are delivered.
“We’ve worked that out over many years, and that’s just a standard part of the Gmail offering,” he says. But “in the Play Store, we notify people when there’s malware or a malicious or untrusted app. The key is that each product has a slightly different customer interaction.”
Campbell thinks CSPs should exercise caution when notifying customers of breaches via a mobile alert. “It’s a good idea if it goes to the right people, but if it goes to everyone, it can cause more harm than good,” he says. “I think certainly, when it comes to something that can help limit the impact of a current incident or a potential compromise, then yes, absolutely you need to communicate. But it needs to be to the right people or groups of people.”