Issue #3 - Feb 1, 2024: Midnight in a perfect world
Material Security
Unified detection and response for Google Workspace and Microsoft 365
I think we all anticipated an uptick in incident disclosure frequency when the new SEC guidelines went into effect at the end of last year, but to this degree so soon has certainly made waves. Nothing in security should ever be a surprise, though.
Microsoft’s disclosure of an attack by the Russian group Midnight Blizzard is an interesting one for a couple reasons. First, there’s been a lot of piling on regarding the vagueness of their public response, as well as for their recommended course of action being so deliberately pointed to their own premium security offerings. I won’t speak to the latter, but the former should be expected given the timelines mandated by SEC regulations.
The second point to make on this incident is something we talk about a lot at Material – email is more than an attack method; it’s also a vector and often the target. As such, detecting suspicious behaviors is as important as detecting suspicious contents in the constant effort to stay ahead of attackers. We wrote a blog post last week that highlighted a few email-centric behaviors that could indicate an account compromise – critical things to watch out for:
Back on the SEC topic, we hosted a lively AMA last week, taking in questions ranging from corporate responsibility to personal liability. The stakes are always high, but there’s an elevated sense of fear given the demands for perfection. The reality is that we should all be prepared for security incidents to be scrutinized at the same level as financial records. This means impeccable documentation of provable actions is required, but also knowing what you as an individual are on the hook for.
A takeaway of mine from the session, though, is that once you get past the initial fear, there’s potential silver linings for security teams. Improved incident response procedures, more direct lines between security efforts and the business, and increased transparency are generally good things. You can watch the full session recording with a recap at:
Cheers,
Ivan at Material
Recommended by LinkedIn
Finds from the Web
This is an excellent in-depth writeup of an AWS attack vector. What makes it curious as the title suggests is that the attacker chose less obvious tactics to elevate privileges from a compromised IAM account, likely to evade common detections. Smart.
Any type of “Google Security for Everyone Else” mention brings me back to the BeyondCorp papers and the early Zero Trust days. But I digress. This article dives into internal AppSec practices, which are a slight departure from the core focus of this newsletter, but I found it to be an interesting read as to how they deal with infrastructure change management at the scale and level they operate.
It is worth reading the response from Microsoft in regards to the recent attack. What’s notable in this is the explicit callout that the balance between security and the business is shifting back to a safety first mentality. One aspect of this where I agree with the backlash is how they refer to the breached environment as legacy – what Alex Stamos calls a “dodge” in his post. Dodge, duck, dip, dive, and... dodge.
That’s it for this edition. If you made it to the end and are enjoying the read, give us a like or a share!
