On any given day, in a city not far from Seattle, there\u2019s a guy trying to gain access to Microsoft\u2019s cloud. But he\u2019s not just \u2018a guy\u2019 and he\u2019s not just trying. He is a highly-skilled hacker leading an elite team of specialists who are persistent in their attempts to find a way in.<\/p>\n
They do not give up.<\/p>\n
Want to jump into this hacker\u2019s thought process? Here it is: \u201cWe’re going to try to by-pass any protections that might be in place,\u201d he says. \u201cAnything to help us get at that goal.\u201d<\/p>\n
That goal is getting past Microsoft\u2019s prevention systems. There are a lot of them. So our hacker is using every trick in the book as the cyber attack gains pace. Some of the tactics he mentions include credential theft, spear phishing against service operators, insider attacks, cross-site scripting, and other client-side attacks. You don\u2019t need to be an engineer to know that this doesn\u2019t sound promising for those of us with valuable private data stored in the cloud.<\/p>\n
And of course part of any criminal activity is the challenge of not getting caught. \u201cAll the while we’re trying to stay forensically clean and remain undiscovered in the environment by covering our tracks,\u201d he explains.<\/p>\n
These are direct quotes. He is removing his fingerprints at the same time that he\u2019s stealing.<\/p>\n
How do you catch someone like that?<\/p>\n
Here\u2019s how: You have a team of people who can actually find a needle in a haystack. This particular towering haystack is the mass of data moving around every day. The needle is our hacker making one tiny slip-up and leaving evidence of his activity.<\/p>\n
The lead security responder \u2013 the person chasing the hacker \u2013 describes his job like this: \u201cWhat we do is intrusion detection so we are taking data from hundreds of thousands of machines in our datacentre, pushing that data onto the cloud, and looking at that data, at those log events, for anomalous behaviour.\u201d<\/p>\n
It\u2019s about response: Speed. Agility. Accuracy. The security responder leads a team that may get a call in the middle of the night saying an alert has been triggered, saying an issue has been escalated to them. Saying it\u2019s time to get to work. Doesn\u2019t make any difference if it\u2019s 3pm or 3am.<\/p>\n
So here is where we stand: The hacker and his team are trying to breach Microsoft\u2019s cloud infrastructure; the security responder and his team are trying to stop them.<\/p>\n
Oh, and they\u2019re all employed by Microsoft.<\/p>\n
Hackers have names and faces. So let\u2019s name ours. He is Travis Rhodes, Senior Security Lead for Office 365. He is the head of the Red Team. The in-house baddies. \u201cYou can think of us as an internal team of hackers focused on protecting Office 365,\u201d he says. \u201cWe think and act like the adversaries that might attack our service or our customers. We analyse and probe the service for vulnerabilities, track the latest emerging threats and trends, to better simulate attack scenarios for Office 365.\u201d<\/p>\n
But here\u2019s the twist. This is not a war game \u2013 this is not a situation where all players know ahead of time what is going to happen, where someone says \u2018go\u2019 at the start and \u2018stop\u2019 at the end. Because a war game is a fire drill. This is as close to a real fire without actually burning down the house (no customer data is touched \u2013 more on that later). And Travis\u2019 Red Team has a large amount of creative freedom to attack Microsoft\u2019s cloud and no one, that is no one<\/em> in the security response team knows whether the attack is the work of Travis and his crew or if it is a real-world assault.<\/p>\n It\u2019s the data protection equivalent of hiring a UFC fighter to attack you at random, unexpected times. Keeps you on your toes. And your heart in your mouth.<\/p>\n Because the Red Team doesn\u2019t give up. Just like a real attacker.<\/p>\n So let\u2019s say they get inside. Let\u2019s say Travis and the Red Team manage to compromise the cloud. This is where all their research and preparation starts to pay off as they use the latest known attack techniques along with their own creative methods and custom-built tools. And mirroring a genuine attack, they change tactics as they go. It is a dynamic situation.<\/p>\n What next? Start small then go big. They acquire insider privileges and then use those to penetrate the infrastructure even deeper. Like someone stealing your library card but somehow managing to create a path all the way to your bank account. The whole time they do whatever they can to retain continuous access, to keep that foothold, while always trying to stay undetected.<\/p>\n And this is no leisurely stroll around hacker-land. The Red Team are racing against the clock. They are being measured first on how long it takes to compromise an asset, and then secondly on the time it takes to achieve full compromise. Those are two ominous-sounding words. Full compromise. Most organisations are not equipped to deal with a breach at this level. It can take several forms, and in our scenario could be the point at which the Red Team has acquired domain administrator privileges. It\u2019s game over. Or game won. Depending whose side you\u2019re on.<\/p>\n There are rules of engagement however. Let\u2019s not forget that. The Red Team do not target customer data, nor do they ever interrupt the availability of the service or compromise in-place security. They are focused solely on attacking Microsoft infrastructure, platforms and applications \u2013 not end-customer\u2019s applications or data.<\/p>\n \u201cEverything that happens in our datacentre comes under my team’s microscope.\u201d<\/p>\n This is Matt Swann, Senior Test Engineer at Office 365. We met him earlier, he was our \u2018lead security responder.\u2019 Matt is the head of the Blue Team, and they are in the business of classification. It\u2019s through classification that it\u2019s possible to categorise everything that looks like a piece of hay, and everything that might, possibly, potentially<\/em>, be a needle. And then go find it. (Microsoft in fact operates dedicated full-time Red\/Blue Teams for both Office 365 and Azure.)<\/p>\n Working with his Blue Team, Matt seeks to define what good activity looks like, and what bad activity looks like. Then they examine what falls in between. That\u2019s where the job gets more complicated, and it\u2019s where the Blue Team really earn their stripes.<\/p>\n \u201cI use machine learning to build a statistical model of what my accounts, what my servers do,\u201d says Matt. From there, he and his Blue Team start to delve more deeply: \u201cI investigate the long tail, things which are anomalous, things that haven’t happened before and don\u2019t seem to be happening anywhere else.\u201d<\/p>\n It\u2019s the sheer size of Microsoft\u2019s operation that works to the Blue Team\u2019s advantage here. Why? Because when you have a lot of data represented clearly, it\u2019s actually easier to spot overall patterns. And in those patterns the Blue Team can look for any strange activity. \u201cI have all of these servers globally in Office 365 and they’re all uploading security events like process starts [and] application events [as well as] engineer activity like logons and network activity all to a big data system in the cloud we call Cosmos,\u201d says Matt.<\/p>\n So this is where, like detectives, the Blue Team can sift through the evidence. Checking those logons (ie, someone trying to access a system or application) and any other activity while they continually ask the question: Does this indicate that there has been a compromise and if so at what level? From there they can engage the most suitable engineers to work on the issue and assess the size of the breach. They then work on a plan to defend, evict and recover.<\/p>\n But we\u2019re getting ahead of ourselves. It\u2019s time to rewind, with Travis and his Red Team on the run in mid-attack. \u201cWhen the Blue Team detects us that’s when the cat and mouse game really starts,\u201d Travis says. \u201cWe try to stealthily access data while the Blue Team works to defend and kick us out of the service. The exercise is treated as a real incident until the Blue Team figures out it is us.\u201d<\/p>\n This means it\u2019s only during the post-mortem between the two groups that the Blue Team can accurately assess how successful they have been in challenging the Red Team\u2019s attack. And with each go-round, the Blue Team further refines their approach and methods to protect Microsoft\u2019s cloud infrastructure and keep customer data safe.<\/p>\n Red Teaming itself is based on a change in philosophy when it comes to protecting customer data \u2013 a change which surpasses current industry requirements and one which the company has been using for several years now. The strategy didn\u2019t evolve from a breach of the Microsoft cloud but from this crucial observation: Many of the organisations being breached were unaware they had been compromised.<\/p>\n They didn’t know someone had got in. Often for several months.<\/p>\n Chang Kawaguchi, Group Engineering Manager for Office 365 Security, explains it this way. \u201cWe recognise that no computer system is perfectly secure,\u201d he says. \u201cSo we invest heavily in an Assume Breach approach.\u201d<\/p>\n Assume breach. Is this admitting defeat? It\u2019s the opposite: It\u2019s an acknowledgement that from time to time persistent adversaries are able to breach the cloud. This is a fact. We have all read stories about such incidents over the last few years, whether carried out by nation states or lone teenagers.<\/p>\n Assume Breach is a unique and proactive response to this reality.<\/p>\n It\u2019s saying: Let\u2019s assume the worst and act accordingly. Because even if you never get invaded, it\u2019s nice to know the army is training for every possible scenario.<\/p>\n And when you place limited trust in everything \u2013 applications, services, identities, networks \u2013 you are never on the back foot. Think of it this way: When you view with suspicion any activity going on internally and externally, you are more likely to be able to respond faster and more effectively.<\/p>\n Cyber security is an ongoing battle. And the response must be relentless. Red teaming is only one part of Microsoft\u2019s multi-faceted approach to cyber security, but in seeking to mirror real-world attacks it is at the frontline of the fight. It helps protect the Microsoft platform and keep your data and business safe, day and night. It\u2019s not a replacement for prevention-based security, but simply represents an additional, complementary level of protection.<\/p>\n If you\u2019re thinking of putting in an application to join the Red Team \u2013 well, good luck. Aside from the necessary expertise, each member goes through extra validation, background screening and of course training before they can get close to being involved in any attack scenarios.<\/p>\n So while you\u2019re at work or at home and maybe wondering what\u2019s going on up there in the cloud \u2013 spare a thought for the Blue Team, fighting invisible foes from around the world.<\/p>\n As well as other foes, just down the hallway.<\/p>\n Find out more, and download the Cyber Security Demystified eBook<\/a><\/p>\n SOURCES<\/u><\/strong><\/p>\nFighting back: Meet the Blue Team<\/h2>\n
The best defence is assuming the worst<\/h2>\n
The fight continues<\/h2>\n
Microsoft whitepaper:<\/strong> Microsoft Enterprise Cloud Red Teaming<\/a><\/h5>\n
From Inside The Cloud:<\/strong> What does Microsoft do to prepare for emerging security threats to Office 365?<\/a><\/h5>\n
From Inside The Cloud:<\/strong> Intrusion Detection in Action: How do we monitor and safeguard your data in Office 365?<\/a><\/h5>\n
Verizon<\/strong> 2014 Data Breach Investigations Report<\/a><\/h5>\n
Garage Series Under the Hood: <\/strong>Continually Safeguarding your Data in the Office 365 Service<\/a><\/h5>\n
Red vs. Blue<\/strong>: Internal security penetration testing of Microsoft Azure<\/a><\/h5>\n
Cloud security controls series:<\/strong> Penetration Testing, Red Teaming, & Forensics<\/a><\/h5>\n