How to Protect Hybrid Environments
Connecting Microsoft 365 to an on-premises system can allow hackers to move laterally to the cloud if best practices are ignored. Agencies should use Azure AD Connect to synchronize accounts and password hashes to the cloud or use passthrough authentication.
Active Directory Federation Services provides few advantages for connecting Windows Server Active Directory to Azure AD, and also introduces risks that can make Azure AD vulnerable.
Objects synchronized to Azure AD should never hold cloud privileges beyond “standard user.” This ensures that compromised on-premises accounts can’t be used for malicious purposes in Microsoft 365. Agencies should check that objects synchronized from on-premises AD don’t inherit elevated cloud privileges from Azure AD roles or groups.
Azure AD administrator accounts should always be created in the cloud and protected using multifactor authentication. Azure AD Conditional Access policy can be used to further secure privileged cloud accounts, which should only be accessed from Azure-managed workstations.
CISA Tools Can Help Agencies Enhance Cloud Security
CISA recently released a PowerShell-based tool to help detect compromised Microsoft Azure accounts and applications through unusual and potentially malicious activity.
The GitHub-based tool, called Sparrow, is designed for incident responders, and is tailored to detect the recent authentication-based attacks highlighted during the SolarWinds hack.
With Sparrow, IT staff can narrow down user and application activity that could suggest authentication-based attacks. Sparrow checks Azure’s unified audit log for signs of compromise, lists Azure AD domains, and it checks service principals and Microsoft Graph API permissions. GitHub has other free tools available for agencies as well.
Regardless of the tools you use, agencies should monitor the creation and use of service principal credentials, trust relationships added to Azure AD and assignment of credentials to applications that allow noninteractive sign-in.
Interactive sign-in data should be collected from Azure and analyzed using security information and event management solutions such as Splunk or Microsoft Sentinel. SIEM also helps agencies retain log data for historical analysis.
Why Enforcing Strong Authentication Is Key
The preliminary focus of these recent attacks was on initial access via compromised code in SolarWinds Orion. But CISA says it has observed cases where hackers have gained initial access using simple, password-based attacks including password guessing and password spraying.
There have also been cases of initial access using poorly secured administrator or service credentials. Once initial access is gained, hackers were able to use other techniques to elevate privileges and bypass identity controls and multifactor authentication.
Agencies should make sure that protections are in place for securing cloud and on-premises accounts. Multifactor authentication, security keys, Conditional Access and Azure Identity Protection can all be used to reduce the risk of account compromise.
In addition, managing users’ devices with mobile device management improves security by reducing dependency on Windows Server AD.