CISA and review board torches Microsoft internal response and how bad the 2023 compromise actually was. It was way worse than what was communicated from Microsoft - way way way worse and avoidable. This is a good read and something folks really need to equate in their own threat models and risks in cloud - especially one as high profile as Microsoft/Azure. Extremely alarming imo. Key highlights below is scary AF. Also bang up job on this report from
@CISAgov- grade A disclosure and documentation and analysis. Also, this isn’t me bashing the amazing folks that work at Microsoft. Some of the most brilliant folks out there. What is clear is that there needs to be some serious and concerted effort on monitoring and massive momentum on additional security controls (esp keys to kingdom ?!) to protect their cloud infrastructure that other cloud providers already have that Microsoft is seriously lagging behind in. Excerpt below: “Given Microsoft’s inability to determine how and when the adversary was able to steal its signing key, all CSPs should review and revise as appropriate their logging and overall forensics capabilities around their identity systems and other systems that enable environment-level compromise, such as root key material. 1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed; 2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed; 3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not; 4. Microsoft’s failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021; 5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction.” cisa.gov/sites/default/…