Senior executives at Texas-based software company SolarWinds, Microsoft, cybersecurity firms FireEye Inc, and CrowdStrike Holdings Inc. have defended their behavior for the abuses blamed on Russian hackers and sought to shift responsibility elsewhere in testimony before a US Senate committee on Tuesday.
One of the worst hacks discovered so far had an effect on all four. SolarWinds and Microsoft have been used to attack others and the hack has struck nearly 100 American companies and nine federal agencies.
Lawmakers began the hearing by criticizing representatives of Amazon, who said they were called to testify and whose servers were used to launch the cyber attack, for refusing to attend the session.
Republican Senator Susan Collins said: “I think they have an obligation to cooperate with this investigation, and I hope they do so voluntarily.” “If they don’t, I think we should look at the next steps.”
Executives argued for more transparency and sharing of information about violations, while protecting liability and a system that did not punish those who came forward, similar to air disaster investigations.
Microsoft Chairman Brad Smith and others told the US Senate Intelligence Committee that the true extent of the recent incursions remains unknown because most victims are not legally required to disclose the attacks unless they contain sensitive information about individuals.
He also testified by FireEye CEO Kevin Mandia, whose company was the first to discover the hackers, SolarWinds CEO Sudhakar Ramakrishna, whose company’s software was hijacked by spies to break into a host of other organizations, and CrowdStrike CEO George Kurtz, who The company is helping SolarWinds recover from a breakout.
“It’s imperative for a nation to encourage and sometimes require better sharing of information about cyber attacks,” Smith said.
Smith said that many of the techniques used by the hackers did not appear and that “the attacker may have used up to a dozen different means to gain access to victims’ networks over the past year.”
Microsoft revealed last week that hackers were able to read the company’s heavily guarded source code to find out how its software authenticated users. For many of the victims, hackers manipulated these programs to gain access to new areas within their targets.
Smith stressed that this movement was not due to software errors on the part of Microsoft but due to poor configurations and other controls on the customer side, including cases where “the keys for the safe and car were left in the open.”
In the case of CrowdStrike, hackers used a third-party vendor of Microsoft software, who had access to CrowdStrike’s systems, and tried to access the company’s email but failed.
CrowdStrike’s Kurtz blamed Microsoft for its intricate architecture, which she described as “outdated.”
“The threat representative took advantage of systemic vulnerabilities in the Windows authentication architecture, allowing it to move sideways within the network and access the cloud environment while bypassing multi-factor authentication,” Kurtz’s prepared statement said.
When Smith appealed to the government for help providing remedial guidance to cloud users, Curtis said Microsoft should look at its own home and fix the problems with Active Directory and Azure widely used.
“In the event that Microsoft addresses authentication architecture limitations around Active Directory and Azure Active Directory, or switches to a completely different methodology, then the major threat vector would be completely phased out from one of the world’s most used authentication platforms,” said Kurtz.
Alex Stamos, a former head of security at Facebook and Yahoo who now consults with SolarWinds, agreed with Microsoft that customers who divide their resources between their own workplace and Microsoft’s cloud are especially vulnerable, as skilled hackers can move back and forth, and they must go completely into the cloud. .
But he added in an interview, “It is very difficult to run (the cloud software) Azure ID securely, and the complexity of the product creates many opportunities for attackers to escalate privileges or hide access.”