Jan 26

Breach at Microsoft: Novel Identity Attack Urges ITDR

There has been wide news coverage of a breach at Microsoft where Russian hackers managed to read and exfiltrate email from MS365 Exchange inboxes belonging to its top executives (see here and here).

Entra ID (Azure AD) - the 3 critical objects having access to resources. Service Principals or Applications is still the neglected one.

A few remarks:

The initial entry point was facilitated by Microsoft's negligence: the company was running a test/development Azure tenant without multifactor authentication (MFA), which made it possible for the attacker to brute force an account's password.
However, once inside the test tenant, the attacker has been using a relatively new identity technique: abusing OAuth applications within Entra ID (ex. Azure AD) to move laterally within or across cloud environments (see Microsoft's blog detailing the attack). The misuse of OAuth enables threat actors to maintain access to applications, even if they lose access to the initially compromised account.
in this case, the attacker has been reading Microsoft's email undetected for weeks, maybe even months. The same applies to a number of other affected organizations (for example HPE): based on MS365 customers telemetry, Microsoft arrived at the conclusion this is now a widely utilized attack technique, deployed against other organizations using Microsoft365 and Azure.
These Entra ID OAuth application abuse attacks have become increasingly popular during 2023, pointing to a wider trend in identity based attacks. Even Microsoft has been documenting them prior to the latest revelations (see here).
Protection focusing on endpoint EDR/XDR capabilities would not necessarily detect this kind of cloud compromise. This is an identity based attack visible only in the cloud environment (in this case an Azure tenant), so it requires new detection and response capabilities.

So what's the lesson learned?

Standard detection and response tools typically don’t detect malicious activity after a “legitimate” user has been authenticated and authorized. This includes creating backdoors, bypassing existing security mechanisms, lateral movement and privilege escalation.

That problem is compounded by:

attacks now increasingly targeting machine or application identities, as opposed to employee accounts;
attacks fully playing out in the cloud environment such as an Azure tenant, with no suspicious behavior occurring on any endpoint.

That's why a new class of solutions is emerging, one that Gartner calls Identity Threat Detection and Response or ITDR, addressing the new security perimeter: identity.

ITDR is now part of many vendors' security portfolios, typically integrated with endpoint detection and response (EDR/XDR) solutions. Some examples include:

Crowdstrike Falcon Identity Protection: extending its XDR platform, this ITDR solution addresses both AD on-prem domain controllers and Azure AD tenants to get identity telemetry and detect malicious activity. More on Azure Entra ID protection here.

Surfacing account telemetry from Active Directory: better situational awareness

Palo Alto Networks ITDR, part of its Cortex XDR platform, provides proactive coverage for stealthy identity threat vectors, including compromised accounts and insider threats, combining that with user behavior analytics (UEBA).

Proofpoint Spotlight and Shadow products part of its ITDR platform (result of Illusive acquisition): an agentless approach which scans identity stores (primarily AD on-prem and Azure Entra ID) to discover incorrect or risky configuration that can lead to identity compromise.

Scanning identity stores on-prem and in the cloud to detect identity based compromise. Source: Proofpoint

Trend Micro Vision One - ITDR module within its XDR platform, which connects to a variety of identity sources (including Entra ID) and can detect malicious activity, misconfigurations or drift from best practices.