How Microsoft uses wargames to fight attackers

Microsoft’s Office 365 security division is using military-style exercises with two teams of IT security experts battling each other for control over its internal environment.

Office 365 security’s principal security manager John Walton, speaking at the AISA conference in Sydney today, gave an insight into how Microsoft uses the red team - blue team method to protect and test its IT infrastructure.

The approach comes from military ancestors and is traditionally used in government, but in recent years has been making its way into the private sector. 

What is essentially war-gaming an organisations’ security infrastructure, red team - blue team exercises see the red team attacking a part of the environment, with the blue team tasked with detecting and defending it.

Walton said the recent move away from hacktivism-style attacks toward sophisticated insider attacks meant organisations needed to take an “assume breach” mentality over “prevent breach”, as an attack is inevitable.

“Breaches are going to be a part of life going forward, for my business as well as others,” Walton said.

“I needed to rethink how I manage an incident. We were spending most of our money of preventing a breach and .. I realised I needed to think about how to do incident response. It’s a mindset shift.”

“The goal behind assume breach is to identify gaps in attack and penetration, respond, and recover from data leakage or tampering.”

Walton and his staff began live and onsite penetration testing in order to gain a better understanding of how to deal with breaches, and improve the mean time to detection and recovery.

They started off employing a tabletop exercise, bringing together staff members across all aspects of the business to firedrill potential scenarios for attacks.

The next step was to deploy a red and blue team to attack and defend the infrastructure.

The red team’s goal is to try to get to “the secrets”, Walton said, and measure what his team has called the “mean time to pwnage" - the average time it takes 

If the team is not caught by the blue team within a certain timeframe, they will intentionally trigger a response.

"They’ll continually go through this kill-chain process of finding an attack entry vector, exploiting that, planting backdoors, gathering as many passwords as possible, going past the hash attacks to move around within the organisation. They will also try to leverage data.”

Microsoft does not use customer data in such activities. It exfiltrates its own internal data as well as fake data. 

Walton said the red team exercises had demonstrable business benefits, with the team able to go to management and explain how they had broken in, how long they had been in for, and that they now had all the company’s customers data - putting it in real-world business rhetoric.

The blue team serves the opposite purpose to the red team. Acting as defence and response, their goal is to reduce the mean time to detection and recovery.

The blue team aren’t told if what they detect comes from a real-world attacker or the red team. Until they can attribute an attack as from the red team it is treated a real incident, which Walton says allows them to build up muscles and produce actual intelligence.

The team also does big data analysis, which Walton put at a figure of hundreds of terabytes of data every day, and 10 petabytes mined on a regular basis.

“The goal here is to slow down the attackers,” he said. “We’re assuming breach, so we’re not trying to prevent it. It’s about speeding down the attackers, and speeding up the response.”

At the end of each exercise, both teams hand over a list of what they have attacked or found. Walton’s first priority then is to fix any gaps identified between what was attacked and what was discovered.

He then checks how long detection and containment of the breach took, how long it took to fix, and the time period in which the entry vector was identified. 

“If your measurement of time to recovery is in years or months, you’ve failed,” he said. “You’ve taken too long.

“Ideally you want meant time to recovery to be automated - hours, days at most. Attackers will notice when you are trying to do incident response and they’ll either turn and burn or try to come back later, or they’ll further entrench themselves in the environment and place backdoors everywhere.”

“As you go through this process there’s a few investments you’ll realise you want - rapid patch deployment, central monitoring, just-in-time access, rolling secrets (passwords and certificates), dynamic isolation, an audit state and auto recovery.”

But the approach is not without risk.

“You want to make sure the people you’ve hired are actually trustworthy, because they’re going to be exploiting your systems,” he said.

“We do background checks, we have some procedures in place to audit individuals, all their activities are recorded - not just for their safety but also for the safety of the business.”