Prevent and detect more identity-based attacks with Azure Active Directory

Security incidents often start with just one compromised account. Once an attacker gets their foot in the door, they can escalate privileges or gather intelligence that helps them reach their goals. This is why we say that identity is the new security perimeter. To reduce the risk of a data breach, it’s important to make it harder for attackers to steal identities while arming yourself with tools that make it easier to detect accounts that do get compromised.

Over the years the Microsoft Security Operations Center (SOC) has learned a lot about how identity-based attacks work and how to reduce them. We’ve leveraged these insights to refine our processes, and we’ve worked with the Azure AD product group to improve Microsoft identity solutions for our customers. At the RSA Conference 2020, we provided an inside look into how the Microsoft SOC helps protect Microsoft from identity compromise. Today, we are sharing best practices that you can implement in your own organization to help decrease the number of successful identity-based attacks.

Increase the cost of compromising an identity

One reason that identity-based attacks work is because passwords are hard for busy people, but they can be an easy target for attackers. People struggle to memorize unique and complex passwords for hundreds of work and personal applications. Instead, they reuse passwords across different applications or pick something that is easy to remember—sports teams, for example: Seahawks2020!

Bad actors exploit this reality with techniques like phishing campaigns to trick users into providing credentials. They also try to guess passwords or buy them on the dark web. In password spray, attackers test commonly used passwords against several accounts—all they need is one.

To make it harder for bad actors to acquire and use stolen credentials, implement the following technical controls:

Ban common passwords: Start by banning the most common passwords. Azure Active Directory (Azure AD) can automatically prevent users from creating popular passwords, such as password1234! You can also customize the banned password list with words specific to your region or company.

Enforce multi-factor authentication (MFA): MFA requires that people sign in using two or more forms of authentication, such as a password and the Microsoft Authenticator app. This makes it much harder for an attacker with a stolen password to gain access. In fact, this one control can block over 99.9 percent of account compromise attacks.

Block legacy authentication: Authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, which makes them an ideal target for bad actors. According to an analysis of Azure AD, over 99 percent of password spray attacks use legacy authentication. Blocking these apps eliminates a common access point for attackers. If teams are currently using apps with legacy authentication, this takes careful planning and a phased process, but tools in Azure AD can help you limit your risk as you migrate to apps with more modern authentication protocols.

Protect your privileged identities: Users with administrative privileges are often targeted by cybercriminals because they have access to valuable resources and information. To reduce the likelihood that these accounts will be compromised, they should only be used when people are conducting administrative tasks. When users are doing other work, like answering emails, they should use an account with reduced access. Just-in-time privileges can further protect administrative identities, by requiring that individuals receive approval before accessing sensitive resources and time-bounding how long they have access.

Detect threats through user behavior anomalies

Strong technical controls will reduce the risk of a breach, but with determined adversaries, they may not be totally preventable. Once attackers get in, they want to avoid detection for as long as possible. They build hidden tunnels and back doors to hide their tracks. Some lay low for thirty or more days on the assumption that log files will be deleted during that time. To discover threats inside your organization, you need the right data and tools to uncover patterns across different data sets and timeframes.

Event logging and data retention: Capturing and saving data can be tricky. Privacy regulations put restrictions on how long and what types of data you can save. Storing large amounts of information can get expensive. However, you’ll need to see across login events, user permissions, and applications to spot anomalous behavior. Data from months or even years ago may help you spot patterns in more recent behavior. Once you understand your contractual and legal obligations related to data, decide which events your organization should store and then decide how long to keep them.

Leverage User and Entities Behavioral Analytics (UEBA): People tend to sign in and access resources in consistent ways over time. For example, a lot of employees check email as soon as they sign in. On the other hand, if someone’s account immediately starts downloading files from a SharePoint site, it may mean the account has been compromised. To identify anomalous behavior, UEBA uses artificial intelligence and machine learning to model how users and devices typically behave. It then compares future behavior against the baseline to create a risk score. This allows you to analyze large data sets and elevate the highest-priority alerts.

Assess your identity risk

As you are making decisions about what controls and actions to prioritize, it helps to understand current risks. Penetration tests can help you uncover vulnerabilities. You can also run password spray tests to generate a list of easily guessable passwords. Or send a phishing email to your company to see how many people respond. The SOC can use these findings to test detections. They will also help you prepare training materials and build awareness with employees. Tools such as Azure AD Identity Protection can help you discover current users at risk and monitor risky behavior as your controls mature.

Learn more

Many of the technical controls we’ve outlined are also best practices in a Zero Trust security strategy. Instead of assuming that everything behind the corporate network is safe, the Zero Trust model assumes breach and verifies each access request. Learn more about Zero Trust.

One way to reduce the likelihood that a password will be stolen is to eliminate passwords entirely. Read more about passwordless authentication.

Watch our RASC 2020 presentation: Cloud-powered compromise blast analysis: In the trenches with Microsoft IT.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.