August 2023

Storm Clouds Ahead

The Axio Report: Cybersecurity in Focus

The Microsoft incident sends industry shockwaves

On July 11, Microsoft reported a Chinese threat actor from the group “Storm-0558” had
obtained a private encryption key that was used to forge authentication tokens, allowing them
to impersonate Azure Active Directory users, providing unauthorized access to Exchange Online
and Outlook.com applications. This access culminated in persistent access to email accounts
across numerous government agencies in Western Europe and the US for weeks, most notably
exposing sensitive information in emails belonging to US State Department officials. Further
research conducted by Wiz Research indicates that the compromised key may have provided
access to multiple Azure AD-based applications including SharePoint, Teams, and OneDrive.

The breach exposes a critical vulnerability in Microsoft’s ubiquitous Azure platform that drew
the wrath of Tenable’s CEO Amit Yoran, who formerly headed DHS’s National Cyber Security
Division and has a long history of key positions in cybersecurity service providers. In a LinkedIn
blog post, Yoran criticized Microsoft’s slow response to the breach (as did many in government
and industry) and remarked on their less-than-effective approach to addressing vulnerabilities
in a timely manner in their products. As an organization focused on helping organizations to
identify and remediate vulnerabilities, Tenable provided a timeline on their website that details
a considerably long path from discovery to remediation, critically extending risk exposure time
for users of the Azure platform.

Understandably, the initial news of the breach and the subsequent trickle of concerning details
is sending shockwaves through organizational and retail consumers alike as the pervasive use
of Microsoft platform applications dominate the market.

Page 1 www.axio.com
 August 2023

Storm Clouds Ahead

The Axio Report: Cybersecurity in Focus

The need for a checklist for cloud access security considerations

While Microsoft was the target of this attack, it stands to reason that any cloud-based
application platform with a broad organizational user base is an attractive target. Since
Microsoft competitors use similar signing key architectures, the potential for extensive and
broad organizational damage in such a breach is significant, potentially resulting in scenarios
ranging from espionage-focused data exfiltration to disruption of critical operations and
infrastructure. In short, the potential outcomes of a breach of any cloud-based application and
service provider could be catastrophic, especially as reliance on the cloud is increasing and as
new digital transformations (such as the movement of operational technology and industrial
control systems to the cloud) continue.

So, what can an organization do when news breaks of a cloud-based intrusion? If properly
planned, key security controls (such as the use of a cloud access security broker—CASB for
short) should have been included as a functional requirement in an organization’s journey to the
cloud. Assuming this and other pre-move security considerations have been addressed, there
are a few other quick actions that should be high on the checklist.

On the following pages we provide 6 important considerations.

Page 2 www.axio.com
 August 2023

A Checklist for Cloud

Security Access
The Axio Report: Cybersecurity in Focus

Talk, check, and tune first

1. Talk to your cloud service provider

First and foremost, talk to the cloud vendor’s security experts about your unique cloud
architecture, control structure, and potential exposures. Try to put the breach (or any potential
breach) in context for the activities you perform in the cloud and the potential risks the breach
exposes you to. Ask for their input on how you can minimize exposure to your critical assets.
You may not get very far in terms of additional information, but at the very least you should
enlist your provider’s help in ensuring their product does not cause you excessive risk.

2. Check your incident management plan

Make sure your incident management plan is sufficient to address a wide-scale cloud intrusion
and the collateral damage that it could cause to your data and operations. Check that you have
sufficient business continuity and disaster recovery plans in place to sustain operations—such
as email, calendaring, and data management—in case your cloud provider is breached. Know in
advance what critical processes are at risk and how they need to be sustained if a loss of cloud
services—or worse yet, a corruption of your specific services—is realized. If you are operating
your industrial control system or operational technologies in the cloud (a controversial
approach in itself), make sure you engage your plant and engineering staff and get them on
board.

3. Tune your situational awareness capabilities accordingly

Be sure that you are actively monitoring for potential known indicators of compromise and
anomalies that may indicate conditions that diverge from normal and expected operations.
Check that you have an open line of communication with your intrusion detection/prevention,
web gateway, and EDR providers so that updated indicators of compromise and other
parameters are made available and implemented as early as possible. Work with your SIEM
and/or SOAR provider if available to take advantage of their heightened awareness and threat
hunting capabilities. Run vulnerability scans more frequently than normally scheduled to make
sure that as these tools are updated you have a time advantage in identifying and remediating
vulnerabilities.

Page 3 www.axio.com
 August 2023

A Checklist for Cloud

Security Access
The Axio Report: Cybersecurity in Focus

Plan, communicate, and re-evaluate next

4. Plan for this scenario.

As more infrastructure and operations move to cloud platforms, these types of breaches are not
only more certain to occur, but become a vector-of-choice for bad actors that want to do the
most damage with the least investment. As we learned with the SolarWinds breach, co-opting a
seemingly regular process is an effective way for an attacker to get an organization to do its
dirty work. In addition to shoring-up your incident management plan, be sure to include a cloud-
breach scenario in your threat profile and cyber risk quantification (CRQ). CRQ can help you
understand in advance the potential economic loss scenarios that could result from disruption
or disabling of operations and infrastructure that operate in the cloud. Understanding loss
scenarios provides a baseline financial computation from which investments in
countermeasures—before a breach occurs—can be evaluated and justified.You may find that
every dollar spent proactively has a potential multiplying effect in cost avoidance if a cloud
breach should occur.

5. Communicate, communicate, communicate.

Everyone in the organization should be aware of things that “don’t look right” in the use of
everyday routine applications. The user community must be enlisted to know what to look for
and how to let the security professionals know even the minutest of issues. Be sure to
communicate with operational technology personnel as well, even if there isn’t considerable
(known) use of the cloud. You may find that many OT assets are actually quite dependent on
cloud services for proper configuration, maintenance, and operation, and could also be at risk
even if not deployed directly in the cloud.

6. Re-evaluate your cloud usage.

Moving to the cloud is not always the best solution. While there are certainly operational (and
sometimes economic) advantages, many organizational processes are ill-suited in an
environment where there is less control over key cybersecurity requirements. Certainly,
enterprise productivity platforms such as email are likely going to be cloud-based, as are many
applications that support ERP and HR functions, and in-house deployment of these capabilities
may not make functional or economic sense. However, the deployment of critical operations
assets—such as a SCADA system—should be thoroughly evaluated from a cybersecurity risk
perspective to confirm that the functional or economic advantages are warranted against
potential loss scenarios. The advantages of cloud computing—virtualization, scalability, and
recoverability, to name a few—may be achievable in a private cloud, hyper-virtualized
environment that is under the organization’s direct control.

Page 4 www.axio.com
 August 2023

Next Steps
The Axio Report: Cybersecruity in Focus

Take action today

In the end, an intrusion in a cloud platform on which your organization has built substantial
operational capabilities is a potential game-changer no matter what. But, you can make
investments today that will at least help you better navigate such an event and possibly help you
avoid significant damage.

Contacts

David White Richard Caralli

dwhite@axio.com rcaralli@axio.com
President Senior Cybersecurity Advisor
Axio Global Axio Global

Page 5 www.axio.com