Active Directory, Incident Response, Breach and attack simulation

Semperis HIP conference Day One: Microsoft mea culpa, a call for cybersecurity coalitions

Logo of the Semperis Hybrid Identity Protection Conference 2024.

NEW ORLEANS — Semperis kicked off its 2024 Hybrid Identity Protection (HIP) conference Wednesday with a demonstration of martial-arts styles by Alex Weinert, VP director of Identity Security at Microsoft. His point, a fluid stance offers a better defense against cyber threats than a fixed and rigid one.

Joined on stage by Semperis' Principal Technologist North America, Sean Deuby, the two conjured lessons of ancient Chinese military philosopher Sun Tzu in a keynote titled "The Oak and the Willow". Agility and flexibility, Weinert said, is especially important in today's threat landscape where the average enterprise has 1,500 installed applications, creating a massive attack surface.

(Note: Video above is Chris Inglis, former National Cyber Director, former Deputy Director of the National Security Agency interviewed by SC Media's Paul Wagenseil at the Semperis 2024 Hybrid Identity Protection (HIP) conference.)

"People have a really hard time keeping up with a security posture," Weinert said. He added that employee security training can only go so far and for that reason defenses such as phishing-resistant authentication should be regarded as absolutely necessary.

"We see smart, well-trained people falling for extremely simple attacks," Weinert said. Employees, as well intentioned and trained as they may be "are not going to fix this for us", he said. Unfortunately, he admitted, organizations are stuck in a pattern of constantly playing catch-up with new threats. Defenders frequently have trouble convincing company executives of the merits of proactive measures, he said.

"We're in the unenviable position of trying to get our organizations to fund a bunch of work to fix problems they didn't know they had last year," Weinert lamented. In this context, he added, even ransomware can be viewed as a "friend", only because "we understand the impact" versus the host of unknown, emerging and looming threats.

Ransomware, resilience and identity reckoning: Day Two at Semperis' HIP conference

He also highlighted Microsoft's ongoing Secure Future Initiative, undertaken in the wake of the devastating Russian Midnight Blizzard and Chinese Storm-0558 attacks of the past two years — both of which Weinert blamed on Microsoft's own technical debt.

Every employee at Microsoft now has a security commitment, Weinert said. He added that while the report on the attacks from the Department of Homeland Security's Cyber Safety Review Board was scathing, Redmond learned its' lesson.

"This is really a major shift in how we do things," he said, but a necessary one because the attacks on Microsoft were consistent and endless. "Do we have incidents, or do we have a siege?" Weinert asked. "We have a siege."

No Winners in Hospital Network War Game

Following Weinert's keynote, we got to watch a two-hour tabletop exercise in which conference attendees war-gamed a ransomware attack on a fictional New Orleans hospital system.

Divided into a red team and a blue team of about eight participants each, the exercise went through the seven steps of the NIST Incident Response Framework, meeting up after each round to counter each other's moves.

The red team first checked out LinkedIn to establish working relationships among the hospital staff, then scoured the dark web for compromised passwords and social media for personal information.

They then social-engineered the IT help desk, posing as an employee with admin rights who just had a baby and asked to have his MFA disabled — even playing crying-baby sounds in the background of the call.

The blue team countered these attacks by beginning with a heavily segmented network with endpoint detection and response (EDR) distributed throughout, then implemented a password reset.

The red team laughed and asked, "What about the imaging systems?" Hospitals apparently don't like any external software installed on MRI and CAT-scan machines. The blue team admitted that was a weak spot.

The red team asserted that it had already exfiltrated hundreds of Epic electronic health records, whose small text-based file size didn't trigger the hospital's data-loss prevention systems.

Deploying ransomware didn't work as well, as the hospital's network defenses shut that down. No matter — the red team then revoked all the hospital's TSL/SSL certificates (locking down all encrypted accounts), canceled the hospital's Office 365 licenses, and notified the proper authorities of the breach to put the hospital ownership under pressure.

"That's just diabolical," said the blue team.

But they had a trick of their own: They shut down the entire hospital network, stopping the attack dead in its tracks.

A Semperis expert, serving as referee, told us that a total network shutdown is often the better option. You can be back up in a few days and won't have to spend the next six months dealing with the fallout from total hacker ownership of the network.

So who won? The hospital didn't have to pay a ransom. But the attackers could comb the medical records they did steal and try to blackmail prominent patients or threaten to commit fraud in patients' names.

"Everybody lost," one of the participants told us.

Coalition of the Willing

The day ended with a keynote from Chris Inglis, former National Cyber Director, former Deputy Director of the National Security Agency, and a member of Semperis' strategic advisory board.

Citing the way that the Ukrainian leadership rallied a coalition of other democratic nations to its side following the 2022 Russian invasion, Inglis stressed that cybersecurity defenders also need to form coalitions to better withstand attacks together.

"Who here remembers Edward Snowden?" he asked the audience, naming the former CIA and NSA contractor who leaked huge amounts of secret surveillance information in 2013.

"Edward Snowden was a breach," Inglis said. "Fortunately, we had a coalition in place to combat that breach."

The intelligence agencies of the U.S., the U.K. and several other allied nations had prepared for such an incident, he said. Otherwise, Inglis added, he as a top official in the NSA might have ended up having to sell used cars for a living in the wake of the Snowden breach.

But there's still a tremendous disconnect in the public sector, he added. Inglis cited a new Semperis study that estimates nearly three-quarters of ransomware attacks occur during evenings and weekends, just when attackers know that security teams will be understaffed.

"That's not surprising," Inglis said. "What was surprising is that most companies don't respond to that challenge," failing to beef up their SOC teams despite the knowledge that attacks are more likely in off hours.

Inglis finished by addressing the results of the U.S. presidential election, stating that cybersecurity regulation will probably be reduced in the upcoming Trump administration.

"That puts more of a burden on us in the private sector," he said. “Government will need the advice of private industry to get cyber safety right.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds