By Russell Smith and Azure Sentinel News
The SolarWinds hack at the end of 2020 highlighted ways in which hackers can use compromised applications and forged Security Assertion Markup Language tokens to move into Microsoft cloud environments from on-premises systems.
While the built-in security and monitoring features in Azure Active Directory, the identity management solution used to authenticate users in Microsoft 365, should be able detect anomalies in SAML authentication, the Cybersecurity and Infrastructure Security Agency still issued an alert about the malicious activity.
The alert provides information on how IT can secure on-premises and cloud systems to prevent and detect malicious activity. The issues discovered with SAML tokens are not unique to Microsoft’s systems; SAML is an open standard that’s used to facilitate user logins to federated systems.
In the Microsoft case, hackers were able to forge SAML tokens and impersonate users, including those with privileged access. Once hackers obtain privileged access to the Microsoft cloud, they can establish entry that is persistent and difficult to detect.
Federal agencies are advised to follow Microsoft’s best practice advice as well as the mitigations published by CISA and the U.S. Computer Emergency Readiness Team (US-CERT) to make sure their cloud tenants are properly secured.
How to Protect Hybrid Environments
Connecting Microsoft 365 to an on-premises system can allow hackers to move laterally to the cloud if best practices are ignored. Agencies should use Azure AD Connect to synchronize accounts and password hashes to the cloud or use passthrough authentication.
Active Directory Federation Services provides few advantages for connecting Windows Server Active Directory to Azure AD, and also introduces risks that can make Azure AD vulnerable.
Objects synchronized to Azure AD should never hold cloud privileges beyond “standard user.” This ensures that compromised on-premises accounts can’t be used for malicious purposes in Microsoft 365. Agencies should check that objects synchronized from on-premises AD don’t inherit elevated cloud privileges from Azure AD roles or groups.
Azure AD administrator accounts should always be created in the cloud and protected using multifactor authentication. Azure AD Conditional Access policy can be used to further secure privileged cloud accounts, which should only be accessed from Azure-managed workstations.
CISA Tools Can Help Agencies Enhance Cloud Security
CISA recently released a PowerShell-based tool to help detect compromised Microsoft Azure accounts and applications through unusual and potentially malicious activity.
The GitHub-based tool, called Sparrow, is designed for incident responders, and is tailored to detect the recent authentication-based attacks highlighted during the SolarWinds hack.
With Sparrow, IT staff can narrow down user and application activity that could suggest authentication-based attacks. Sparrow checks Azure’s unified audit log for signs of compromise, lists Azure AD domains, and it checks service principals and Microsoft Graph API permissions. GitHub has other free tools available for agencies as well.
Regardless of the tools you use, agencies should monitor the creation and use of service principal credentials, trust relationships added to Azure AD and assignment of credentials to applications that allow noninteractive sign-in.
Interactive sign-in data should be collected from Azure and analyzed using security information and event management solutions such as Splunk or Microsoft Sentinel. SIEM also helps agencies retain log data for historical analysis.
Why Enforcing Strong Authentication Is Key
The preliminary focus of these recent attacks was on initial access via compromised code in SolarWinds Orion. But CISA says it has observed cases where hackers have gained initial access using simple, password-based attacks including password guessing and password spraying.
There have also been cases of initial access using poorly secured administrator or service credentials. Once initial access is gained, hackers were able to use other techniques to elevate privileges and bypass identity controls and multifactor authentication.
Agencies should make sure that protections are in place for securing cloud and on-premises accounts. Multifactor authentication, security keys, Conditional Access and Azure Identity Protection can all be used to reduce the risk of account compromise.
In addition, managing users’ devices with mobile device management improves security by reducing dependency on Windows Server AD.