Got a minute? Grab a cup of coffee and read US-CERT Alert TA18-074A. It’s not a quick read, but holy cow is it an important one. TL;DR: the Russian government has compromised our nuclear, aviation, water, and critical infrastructure systems, and they did it pretty easily using built-in tools and social engineering.
I’ve been beating a pretty steady drum on identity security, generally in sync with Microsoft’s Azure and Office 365 own recommendations, and the article serves as a terrifying wake-up call about the criticality of securing user identities. What’s more, it lays out point-by-point the specific technologies that would/could have prevented this fiasco entirely.
The first and most important one? Multi-factor authentication.
Let me repeat that: with multi-factor authentication, the Russian government would not currently have access to our nation’s critical infrastructure. (Remind me again why you haven’t enabled it in your organization?)
The second most important technology that would have prevented this is intrusion detection & prevention. We’ve been talking a lot about Microsoft’s suite of “Advanced Threat Protection” offerings across Office 365, Azure, and Windows Defender. The information-sharing and automatic detection of known attack vectors like network enumeration and traversal would have stopped this cold. Maybe a user or a system would have been compromised, but an admin would have known about it with the quickness. As I read through the specifics of the attack, almost every single action would have triggered an alarm with Windows Defender ATP or Azure ATP for Users. But without the appropriate tools to guard against modern threat vectors, they went unchecked for months.
And if you don’t know the back-story to this article, it’s actually a follow-up of a warning that was sent secretly to nuclear plant operators back in the summer of 2017 (but was leaked to the New York Times), which means the government has known that Russian operatives have been actively pursuing these avenues for over half a year. Do you remember the statistic on how long an attacker usually lives on a network before being detected or unleashing a payload? 8 months. Right on cue.
I know I’ve talked a lot about the upcoming GDPR requirements, and in fact I’ll be presenting a webinar series on controls and expectations over the next few weeks, along with presenting some of that same content at Microsoft events, but the same tools and controls that can make a tremendous improvement in your GDPR readiness can prevent this kind of attack on your organization. If you’re struggling to figure out how and why GDPR matters, or how to implement these systems for your users, please tune in and reach out to us for help. With no grace period, you can expect regulators are itching for an opportunity to make a big public example of an exploit.
Nuclear operators may have Russian-shaped targets on their backs, but by virtue of doing business and being on the internet, you and your data are financially valuable to someone with ill intent.