{"id":54866,"date":"2023-12-12T17:00:00","date_gmt":"2023-12-12T17:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/strengthening-identity-protection-in-the-face-of-highly-sophisticated-attacks\/"},"modified":"2023-12-12T17:00:00","modified_gmt":"2023-12-12T17:00:00","slug":"strengthening-identity-protection-in-the-face-of-highly-sophisticated-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/strengthening-identity-protection-in-the-face-of-highly-sophisticated-attacks\/","title":{"rendered":"Strengthening identity protection in the face of highly sophisticated attacks"},"content":{"rendered":"
<\/div>\n

When it comes to security at Microsoft, we\u2019re customer zero as our <\/span>Chief Security Advisor<\/span> and CVP<\/span> Bret Arsenault<\/span><\/a> often emphasizes. That means we think a lot about how we build security into everything we do\u2014not only for our customers\u2014but for ourselves. We continuously work to improve the built-in security of our products and platforms. With the unparalleled <\/span>breadth <\/span>of our digital landscape and the integral role we play in our customers\u2019 businesses, we feel a unique responsibility to take a leadership role in securing the future for our customers, ourselves, and our community.<\/span> <\/span><\/p>\n

To that end, on November 2<\/span>nd<\/span>, 2023, we launched the <\/span>Secure Future Initiative (SFI)<\/span><\/strong><\/a>. It\u2019s a multi-year commitment to advance the way we design, build, test, and operate our technology to ensure we deliver solutions that meet the highest possible standards of security. Fundamentally, it encompasses three key engineering advances that help us meet our commitment:<\/span> <\/span><\/p>\n

    \n
  1. Transforming software development with automation and AI<\/span><\/i><\/strong>\u2014 Enhancing the Security Development Lifecycle (SDL) to integrate dynamic cybersecurity protections. This approach utilizes AI for secure code analysis, Github Copilot for auditing and testing against advanced threats, and new default settings for multifactor authentication to <\/span>reduce the likelihood of breach by up to 99.22%.<\/span><\/a><\/li>\n
  2. Strengthening identity protection against highly sophisticated attacks<\/span><\/i><\/strong>\u2014 Responding to the surge in identity-based threats, we\u2019re advancing identity protection across all products and platforms through a unified verification process for users, devices, and services. These advanced capabilities will also be available to external developers through standard identity libraries.<\/span> <\/span><\/li>\n
  3. Setting a new standard for faster vulnerability response and security updates<\/span><\/i><\/strong>\u2014Our goal is to reduce the time it takes to mitigate cloud vulnerabilities by 50%. We will also take a more public stance against third-party researchers being put under non-disclosure agreements by technology providers. Without full transparency on vulnerabilities, the security community cannot learn collectively\u2014defending at scale requires a growth mindset. Microsoft is committed to transparency and will encourage every major cloud provider to adopt the same approach.  <\/span> <\/span><\/li>\n<\/ol>\n

    Creating more resilient <\/span>token <\/span>signing key<\/span> <\/span><\/strong><\/span><\/p>\n

    As more customers understand the importance of multifactor authentication (MFA) and get ahead of the threat curve, we\u2019re seeing attackers increase the velocity of attacks on the remaining organizations that have yet to implement MFA by default. In our Secure Identities white paper, we share details on our engineering advances to strengthen identity protection, focusing on token signing key management and identity.<\/span><\/p>\n

    Explore the five categories shaping our token signing key management systems:<\/span> <\/span><\/p>\n

      \n
    1. Enhanced automation for key management (zero touch)<\/span><\/strong>\u2014Fully automate enterprise identity signing key management and remove the ability of human error or exploitation. In the near future, we will move consumer keys to the same system.<\/span> <\/span><\/li>\n
    2. Storing and managing keys in secure hardware (HSM)<\/span><\/strong>\u2014Aim to have all identity signing keys stored in Hardware Security Modules (HSM) to make the keys invulnerable to accidental or intentional storage access.<\/span> <\/span><\/li>\n
    3. Ensuring keys are protected in memory (confidential <\/span><\/strong>computing <\/strong><\/span>service)<\/span><\/strong>\u2014Prevent keys from becoming exfiltrated even if the underlying processes become compromised \u2014by using Microsoft Azure\u2019s confidential <\/span>computing <\/span>service to manage signing processes.<\/span> <\/span><\/li>\n
    4. Increasing key rotation frequency (rapid key rotation)<\/span><\/strong>\u2014More regularly and more rapidly retire and rotate keys in the identity infrastructure, so in the unlikely event a key is acquired<\/span>, attackers will have little time to use it. <\/span> <\/span><\/li>\n
    5. Monitoring key usage for suspicious activity (built-in telemetry)\u2014<\/span><\/strong>Define security invariants, the things that must hold, and then explicitly build system logging, detections, and alerting to make sure we know instantly that something is behaving outside our expectations.<\/span> <\/span><\/li>\n<\/ol>\n

      Ignite 2023: Continuously raising the identity security bar for our customers<\/strong><\/span><\/p>\n

      At Ignite, <\/span>I had the pleasure <\/span>of<\/span> shar<\/span>ing<\/span> the stage with <\/span>Mia Reyes, <\/span>Director of Foundational Security at Microsoft<\/span><\/span>,<\/span><\/span><\/span> to <\/span>present <\/span>and<\/span> receive live feedback on how <\/span>we\u2019re<\/span> strengthening identity protection. <\/span>In<\/span> the<\/span> session titled<\/span> \u201c<\/span><\/span>Boosting ID Protection Amid Sophisticated Attacks<\/span><\/span><\/a>,<\/span>\u201d<\/span> Mia <\/span>and I<\/span> shared <\/span>more information about the formation of <\/span><\/span>the <\/span><\/span>Secure Future Initiative (SFI)<\/span><\/span><\/a> as well as<\/span> alarming statistics and real-world incidents underscoring the dire need to reinforce identity protection<\/span>. <\/span>For example, we ran tests and found that <\/span>on <\/span> first attempt<\/span> of <\/span>a <\/span>malicious, <\/span>unprompted simple MFA approval request, <\/span>1%<\/span> of users <\/span>will approve <\/span>it<\/span>\u2014that\u2019s <\/span>likely <\/span>MFA<\/span> fatigue<\/span>. <\/span>One way <\/span>we\u2019re<\/span> helping to reduce fatigue is with<\/span> <\/span>n<\/span>umber matching <\/span>in Microsoft Authenticator<\/span><\/span><\/a> which<\/span> helps<\/span> MFA approvers to pause, <\/span>focus on the <\/span>request at hand<\/span>, and then approve<\/span> or deny<\/span> the<\/span> request.<\/span><\/span> Beyond that, we recognize that we <\/span><\/span><\/span>have to<\/span><\/span><\/span> do more to help people.<\/span> Watch the video below for <\/span><\/span><\/span>a few <\/span><\/span><\/span>policy updates <\/span>we\u2019ve<\/span> released to <\/span><\/span><\/span>increase MFA adoption.<\/span><\/span><\/span> <\/span><\/span><\/span><\/p>\n

      MFA fatigue is only one <\/span>of <\/span>the many <\/span>identity security<\/span> issues<\/span> our customers are <\/span>facing, which I <\/span>detail<\/span> in the live session. <\/span>MFA attacks <\/span>can also <\/span>include SIM Jacking, where <\/span>a bad actor convinces a carrier to <\/span>transfer your phone number, often by <\/span>utilizing<\/span> existing <\/span>information they find online <\/span>about you from social media<\/span> or <\/span>phishing<\/span>\u2014or even information <\/span>purchased<\/span> from sellers of previously leaked and stolen data.<\/span> And <\/span>our customer<\/span>s<\/span> have <\/span>also seen attackers bypass MFA controls entirely using <\/span>an adversary-in-the<\/span> middle<\/span> (<\/span>AitM<\/span>) <\/span>a<\/span>pproach<\/span> to steal session cookies and gain access to <\/span>a user\u2019s email accounts. <\/span><\/span> <\/span><\/span><\/span><\/span><\/p>\n

      If you missed the <\/span>live <\/span>session, <\/span><\/span>watch it now<\/span><\/span><\/a> learn <\/span>about <\/span>these types of infrastructure compromise attacks<\/span>, plus password and post-authentication attacks.<\/span> I also share more information on our<\/span> advancements <\/span>in identity protections<\/span> in the session<\/span>, <\/span>including<\/span> <\/span>the automatic roll-out of Microsoft-managed Conditional Access policies<\/span><\/span><\/span><\/span><\/a>,<\/span> automated key management<\/span>,<\/span> and Hardware Security Modules (HSM) for fortified key storage<\/span>\u2014<\/span>crucial <\/span>innovations<\/span> to<\/span> mitigat<\/span>e<\/span> human errors and bolster defenses against sophisticated aggressors.<\/span><\/span> <\/span><\/p>\n

      Series: Unpacking the Secure Future Initiative<\/span><\/strong> <\/span><\/span><\/p>\n

      As we think about the current cyber threats our customers face, as well as the unique responsibility we have to continually and continuously improve the built-in security of our products and platforms, we want to continue this conversation over the coming months. To that end, this post will be the first in a series where we\u2019ll return to unpack and share more detail about the following concepts and commitments: <\/span> <\/span><\/p>\n

      Read the white paper<\/span><\/a> to learn more about each of the five categories and how they work together to protect customers against escalating identity attacks. <\/span> <\/span><\/p>\n

    To delve deeper into the second engineering advance\u2014<\/span>strengthening identity protection against highly sophisticated attacks<\/span><\/strong><\/a>\u2014we’ve crafted a white paper focusing on the tangible actions we\u2019re taking towards more resilient identity systems and token signing keys.<\/span><\/p>\n