All I could do was facepalm after somebody pointed me to an article about how Microsoft unleashed a
death star on hackers …
“Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach” GeekWire Article
Let’s talk about failure.
Start with Sympathy
Look, its a bad situation.
Lots of IT and Security folks are working really hard right now. That includes people at SolarWinds, Microsoft, your favorite security vendor and companies we depend on every day.
None of what I’m about to say is personal or trying to make anything harder for anyone. Its all hard.
But look, it’s a really bad situation.
Let’s say that 450 of the Fortune 500 and dozens of Federal systems were breached. I can think of any number of serious things that any adversary would want that access for.
- Money - There is always information flowing about deals, insider trading, etc.
- Ransomware - If I had all these accounts and no scruples, I would throw some crumbs to organized crime for favors
- Espionage - Obviously the information itself could be of tremendous intelligence value
- War - If you wanted to shut down a country’s economy, getting access to all these systems would be step 1
- Attention - Distraction from some other thing that’s going on … like an election?
- Chaos - Some mixture of the above
Notice that none of this is as small as stealing tens or hundreds of millions of dollars or some intellectual property.
At this scale, the potential damage is hard to overstate.
The Security Reality
No seriously, it’s even worse than all of this. From the scant publicly available information, we can infer that hackers were in major networks for 7 months without being really detected.
Did these networks have XDR? Yes. Yes, they did.
Did these networks have next gen firewalls? Yes. Yes, they did.
Did these networks have AI and intrusion detection? Yes. Yes, they did.
Did all of these organizations review their supply chain for security with vendor compliance processes? Yes, they did.
Did these organizations have, among them, the very best the security industry has to offer? Yes. Again, I’m going to say they did. After all, we’re seeing key Federal systems and ~450 of the Fortune 500 impacted.
This is nothing short of a The Emperor’s New Clothes moment for cybersecurity. What were all these tools for? Is it maybe possible that they were oversold?
The Supposed Death Star Response
OK, I mean it’s cool that Microsoft helped sinkhole the DNS (with GoDaddy and others). We’ve seen cases where an individual malware researcher found the C&C domain and disabled it. That doesn’t feel like a major blow.
What about the Windows Defender updates that could find and then automatically disable this malware? Well, sure, but isn’t that their job? That’s the basic idea of Defender—to release updates. It’s actually 7 months too late.
The bottom line is that this piece about Microsoft getting medieval on some hackers is bullshit.
Most of the US cybersecurity system has been owned and it is a time for humility and a reckoning. I’m asking myself if this article was paid PR to try to sugar coat the message that guess what folks - an entire industry just suffered an epic failure and basically can’t be trusted.
So … what should people do?
Well, I would stop buying SecurityThings™ and start quantifying and isolating risk. This will take people, knowledge, processes and time.
If you assume that everything you have has been compromised, and there is no one thing you can do to secure it, what do you do next?
Start with the information you really need to safeguard or update.
Move on to systems you would need to be able to recreate or bring back online in a new way.
Some things aren’t worth defending. At least not when it is as hard as it is in the real world. I think that line just moved a lot for a lot of companies. Recalibrate.
Hang in there and keep at it. Just think fresh and for yourself. The impact we can make as security practitioners is both evident and in question.