CISA anticipates ‘highly positive’ announcement on logging availability after latest Outlook breaches

The Cybersecurity and Infrastructure Security Agency expects to make an announcement with Microsoft about availability soon, following a suspected China-linked cyber campaign targeting unclassified Microsoft cloud-based email accounts owned by federal agencies and other organizations Publish critical network protocols outside of the company’s premium payment structure.

The development comes as a senior CISA official told reporters that federal cyber-defenders were able to discover the incident last month because the first agency involved — reportedly the State Department — had access to world-class logging capabilities.

CISA and the FBI today confirmed in an advisory that sophisticated persistent threat actors accessed and exfiltrated unclassified Exchange Online Outlook data. The report states that a civilian federal agency detected suspicious activity in its Microsoft 365 environment last month.

CNN and other media reported that the first agency involved was the State Department. CNN also reports that the Department of Commerce was attacked, while the attackers also targeted email accounts in the House of Representatives.

Microsoft traces the activity to a “China-based actor” named “Storm-0558” in its own notice. After Microsoft launched an investigation on June 16, it found that the group had gained access to the emails of about 25 organizations, including government agencies.

And the company says its investigation showed the threat group was able to prevent the breach by “using fake authentication tokens to access user email using a purchased consumer Microsoft account signing key (MSA).” .

Microsoft also notes that it has “completed mitigation of this attack for all customers.”

CISA and the FBI point out in their opinion that the attack was discovered because the agency in question – which they did not confirm that it was State – used “extended logging”, especially of “MailItemsAccessed” events, and the Compare logs with a normal baseline of Outlook activity.

“CISA and the FBI are not aware of any other audit logs or events that would have detected this activity,” the statement said. “Critical infrastructure organizations are urged to implement the logging recommendations in this advisory to improve their cybersecurity posture and position themselves for detection of similar malicious activity.”

During a briefing with reporters today, a senior CISA official highlighted the importance of having access to this logging data.

“It is worth noting that the availability of this log is a dependency to identify this specific intrusion and prioritizes the CISA and FBI’s collaboration with Microsoft and other technology partners to ensure the availability of the required logging information to all customers in all sectors,” said the officer said.

CISA and FBI officials noted that the incident was nowhere near as bad as the SolarWinds 2020 campaign, particularly due to the first agency’s ability to access the logging data and quickly identify what appeared to be a break-in.

Officials said no classified systems or data were affected.

“This is a notable improvement over previous intrusion campaigns, both in terms of the federal government’s ability to quickly identify intrusions and our ability to work effectively across agencies and with the private sector in response,” the CISA official noted.

The official also confirmed that critical logs are only accessible under Microsoft’s “premium logging tier,” meaning organizations that have not paid for the service would not be able to identify the malicious activity themselves.

However, the official said CISA expects to release announcements soon about talks with Microsoft to provide critical protocol types at no additional cost.

“We have been working extensively with Microsoft for months to identify the specific protocol types that are most valuable to cybersecurity defenders and that should be made available at no additional cost,” the CISA official said. “Microsoft has been very responsive and cooperative in these discussions. And we expect very positive announcements soon about the availability of additional log types in non-premium license tiers that will be available to all organizations.”

The question of whether major cloud service providers and other tech companies should make extended logging available for free dates back to the post-SolarWinds campaign, when some lawmakers slammed Microsoft for adding additional logging fees.

The company later made this logging available to federal agencies free of charge for a year.

Improving access to cyber event logs is a critical aspect of the May 2021 Cybersecurity Ordinance, which focuses on enhancing government cyber investigation and remediation capabilities.

The White House Office of Management and Budget requires agencies to keep Microsoft audit logs in active storage for quick retrieval for a minimum of 12 months and in cold storage for an additional 18 months.

Meanwhile, earlier this year, CISA and several partner agencies released the “Secure-by-Design” and “Secure-by-Default” principles.

While the design principles focus on ensuring secure software development practices, the secure-by-default activities specifically challenge technology companies to ensure their products come standard with security best practices such as multi-factor authentication for privileged users and secure logging at no additional cost are.

“Without delving into the security characteristics of specific victims, it is important to note that the vast majority of organizations using Microsoft 365 or other widely used technology platforms do not pay for premium logging or other telemetry services, and we believe this model is not in That’s the direction “of the security outcomes we’re striving for,” the senior CISA official told reporters today.

Copyright © 2023 Federal News Network. All rights reserved. This website is not intended for users within the European Economic Area.