Newsletter

04.19.2021 | 6'' read

Microsoft should suspend (then rethink) MAPP

by Ryan Naraine

Hello friend,
Was this newsletter forwarded to you?  Sign up here!  Say hello on Twitter (DMs are open).


A note on sponsorship. 

When I launched this podcast/newsletter as a full-time project focused on defense, I really wanted to partner with a few handpicked companies to showcase cybersecurity innovation in honest, transparent and approachable ways. With my ridiculously high standards, this became a very short list and today I’m thrilled to announce a partnership with one of those companies: Eclypsium, a U.S.-based company backed by big-name investors like Madrona, Andreesen Horowitz and Intel Capital.

Eclypsium really is the only vendor providing a cloud-based device security platform capable of protecting laptops, servers and networking gear down to the firmware and hardware level. The brainchild of former Intel Corp. security engineers, Eclypsium provides security capabilities ranging from basic device health and patching at scale, to protection from stealthy threats below the operating system.  To get a better idea, here’s a sample of the company’s work:

As Microsoft’s David Weston explained on the podcast, there’s a ton of malicious activity going undetected at the firmware layer and visibility/inspectability should be major priorities for defenders. Eclypsium is regularly out front identifying real problems in firmware security and, if detecting the undetectable is your jam, I encourage you to pay very close attention.

On to the newsletter.  

Monday blues. The future of Microsoft MAPP.

Back in 2008 at the Black Hat conference, after listening to a Microsoft pitch about its new MAPP vulnerability sharing program, I recall having an intense back-and-forth debate with MSRC’s Mike Reavey about the potential for real problems, especially around pre-patch bug data leakage.

I can prove it. Here the headline of my 2008 piece: Microsoft makes daring vulnerability sharing move. I wrote: “The move is not without major risk.   As everyone knows, vulnerability data is big business and the specter of a rogue employee with access to what amounts to zero-day vulnerabilities is a scary thought.  What happens if the information flowing through MAPP is being siphoned off and sold to malicious attackers?”

At the time, I didn’t even consider risks like nation-states hacking into the networks of security vendors, APT actors embedding people in cybersecurity teams, or security vendors working as contractors for .gov-type hacking activity.

Now, 13 years later, the threat landscape has changed and MAPP’s usefulness has turned into its own danger.  Microsoft is already investigating whether a MAPP leak played a part in the Chinese mega-hack of Exchange Servers globally and now there’s the troubling news that long-time MAPP partner — Positive Technologies — has been sanctioned by the U.S. government for for helping Russian intelligence with offensive hacking operations.

[Ed’s note: Kim Zetter advanced the reporting on my tip regarding that Atlantic Council report on ENFER and the obvious connection to Positive Technologies]

Microsoft has already scrubbed Positive Technologies from its MAPP partner page and it’s almost certain we will see a few Chinese vendors quietly kicked out of the program soon (yup, Microsoft has done this in the past).  However, I think it’s time for Redmond to have long, hard conversations about suspending the program  and restructuring MAPP from scratch to address today’s realities.

This isn’t an original thought.  Over the weekend, GPZ’s Ben Hawkes called for a MAPP “overhaul” and warned that the “net balance [of the vuln-sharing program] favors attackers at the moment.”

Hawkes didn’t mince words: “If we’re going to ask security researchers to stop posting proof-of-concept exploits straight after a patch goes out because of the risk of N-day reuse, I think it’s also reasonable to ask vendors to stop leaking our bugs to attackers before the patch has even landed.”

Katie Moussouris suggests a reasonable mitigation for leaks would be reverting MAPP to the original 24-hour advance notice and hinted that Microsoft may have economic motives for creating multiple tiers of MAPP membership.  One of those tiers — MAPP Validate — is at the crux of the controversy because it offers exploit code to unknown third parties (the program is very secretive) before fixes are available to end users.

I’ve also heard some security vendors complain that MAPP is a “carrot-and-stick” tool used by Microsoft to control vuln disclosure deadlines and even pressure members into downplaying threat activity found in the Windows ecosystem.

There’s just too much blood in the water to continue operating MAPP under the current structure.  At a minimum, Microsoft should immediately suspend the top two tiers — MAPP Validate and MAPP ANS — and start rewriting the rules for participation.  The Entry-Level version can remain in place if there’s an insistence that signature-based malware scanning is still benefiting from advance pre-patch information.

There really is no place for Microsoft to be shipping (selling?) POC exploit code as part of some secretive program. Some transparency around the identity — and data already shared with top tier participants — would also be nice.

New podcast episode.

​🎧 I’m currently editing a fantastic podcast conversation with Shubham Shah, a brilliant hacker who quit his job as a pen-testing to hack for cash in bug-bounty programs and quickly became known as the king of automating pre-breach reconnaissance.  Shubs joined the show to talk about bug-bounty hacking life and how the automated hacking tools and techniques are being transferred to defense.  Catch the show on the site later today.

Security Conversations is live on all the main platforms – AppleGoogleSpotify and Amazon — or wherever you catch your podcasts.

Things you should already have read.

Tangentially.

Have a great week and reach out with things I should be doing better.

_ryan

PS: The podcast is available on all platforms (AppleGoogleSpotify and Amazon).  As the kids say, like and subscribe, like and subscribe.

|

This site uses cookies and may process personal data based on our Privacy Policy