Recently, the Nobelium threat group tried to breach Microsoft accounts across 36 countries. About half of them were in the US and the UK.
The attacks concentrated, primarily, on IT firms and government agencies. However, the attack targeted financial services, think tanks, and non-governmental organizations as well.
How Zero Trust security protected Microsoft from a cyberattack
As per the brief published on June 28 by Microsoft’s threat intelligence team, the threat actors used spear phishing for the attack. Although the attacks did not succeed, but, the threat actors compromised three organizations.
Unlike phishing, spear phishing uses personal information to lure their targets. Microsoft’s investigation reveals that the attack used data stolen from its own systems.
Readers should note that the hackers couldn’t penetrate Microsoft’s security, even after gaining initial access. Nobelium, also known as Cozy Bear and APT 29, is listed as an advanced persistent threat. The Solar Winds attacks that breached many organizations across the world were attributed to this group. Recently, experts revealed that the infamous hacker group infected and persisted within the network of Denmark’s central bank for six months. And, yet it couldn’t breach Microsoft.
As per Microsoft, this success resulted directly from their zero trust architecture. It uses the zero trust model to protect assets from unauthorized activity. And, it was this zero trust model that limited the damage caused by the hack.
As per the published information, Microsoft traced Nobelium using brute force attacks and password spraying to compromise Microsoft accounts.
Further investigation revealed the presence of an information-stealing malware over a computer. It appears that Nobelium succeeded in hacking a Microsoft customer service agent. The information stolen from this computer was then used for the attack.
Upon discovering the malware, the agent’s machine was secured, and the malicious access was terminated. Microsoft stresses that the agent had limited-access to customer data. In addition, the machine was configured with the least set of permissions, as per the zero trust model. In essence, zero trust security ensured that the threat actors couldn’t penetrate any further.
What is zero trust? And why do you need to know about it?
Zero trust security
On May 14, President Biden released an executive order asking federal agencies to adopt zero trust security. The effort would including:
- Enabling multi-factor authentication
- Encryption for data at rest and data in transit
- Strict guidelines for using cloud services
What is Zero trust security?
In essence, zero trust has three elements. Firstly, providing context-based access. Secondly, knowing who the user is. And lastly, visibility over applications in use.
These three elements could help your IT team to understand the threats that could hurt your organization. This includes threats to users, data, network, equipment, and your business. Moreover, it would help you to provide consistent security to assets across the globe.
For zero trust security to work, you need to:
- Constrain access to verified accounts, devices, and applications.
- Monitor the data-in-transit.
- Monitor active apps and browser extensions.
Having such measures in place would mitigate the risk associated with account compromise. They would help you to guard against activities by malicious apps and devices. Moreover, the system would help you identify attempts of data exfiltration and malware downloads.
Unfortunately, most security systems limit themselves to perimeter security. True, user authentication and verification of data-in-transit is important. However, robust security demands that you watch internal activities, as well. Activities, such as lateral movement and privilege escalation should be monitored closely.
Along with this, your zero trust policy should cover user verification across active directories. This is unlike current protocols that use IP address authentication. Under zero trust, you need to authenticate users for every attempt to connect to your network.
In essence, zero trust network security is about protecting your network, users, apps, devices and data from unauthenticated and unapproved access or manipulation.
A brilliant example of zero trust security was observed in March, 2021. Back then, threat actors managed to compromise more than 150,000 cameras managed by Verkada. The incident was considered particularly severe. Verkada’s security practices allowed the hackers to access the root as well.
The cybersecurity incident affected many businesses, including Tesla, Nissan, Equinox and several others. Among them, Cloudflare, could confirm almost immediately that none of their data was compromised in the incident. This was because of the zero trust security. By putting in place zero trust architecture, Cloudflare was able to prevent an infected system or vendor from compromising the entire organization.