A growing trend for organizations, both from a security perspective and end-user experience, is to connect more clients directly to Azure AD, making the cloud-identity service more authoritative. This would help prevent mimikatz lateral traversal of objects and give users a faster on-ramp with their new laptop. However, best practices, tools and IT expertise are not keeping pace with the rate of adoption, creating new security blind spots.
This post is my 2nd in depth prediction for 2020, and we’ll explore why Azure AD and Hybrid AD security shortfalls are a growing blind spot and what types of attacks can occur because of it.
The growing blindspot
More enterprises are syncing their on-premises Active Directory to Azure AD to connect to Office 365 and other online, SaaS based services. In fact, we’ve been seeing more organizations connecting user computers and laptops directly to Azure AD vs on-premise Active Directory. This gives a smoother experience for the user with a new laptop and it’s extremely easier than re-imaging for the IT team.
But all this means is that Azure AD is becoming more authoritative. Endpoints leveraging Azure AD are more exposed to direct assault, making them prime targets for specific types of attacks. Best practices, tools, and IT expertise are not keeping pace with the rate of adoption.
Hybrid AD and Azure AD growing attack threats
So, what are those attacks? Let’s look at three types of attacks:
- First, with more endpoints connected directly to Azure AD or via Azure AD Connect, this is a prime target for password spraying. In his 2019 keynote to The Experts Conference, Microsoft Certified Master, Sean Metcalf, describes password spraying as one of the most common attacks against Office 365 and Azure AD with many tool kits out there designed to avoid account lockout and triggering user issues. In most cases, these tool kits exploit legacy authentication, which is enabled by default, bypassing multifactor authentication (MFA) protections.
- Second, once you have that Azure AD password, attackers can find ways to move off the cloud and into your on-premises Active Directory, beginning to exploit vulnerabilities, move laterally and elevate permissions.
- Third, with those elevated privileges in AD or Azure AD, a user can restore a deleted user from the Azure recycle bin to regain role access to everything that former user had access to – such as sensitive files and administrative duties. Other changes that could happen in such a scenario include:
- Changes to privileged roles and designated admins
- Changes to groups that only live in Azure AD including security, distribution and O365/Teams groups
- Configuration of Azure AD B2B
- Configuration of SaaS applications that integrate with Azure AD for authentication
- Creation of non-synchronized users, roles and other resources
- Users sharing data in SharePoint, OneDrive and other O365 resources with external users
- Privileged and end-user access to mailboxes and leakage of mail through forwarding rules
Detecting insider threats in Office 365 and hybrid AD
Office 365, AD and Azure AD security are critical for your business continuity, especially when it comes to mitigating insider threats. Unfortunately, native auditing tools are limited in their event-tracking capabilities and thus create a growing blind spot in security monitoring.
So, how can you effectively detect Office 365 and hybrid AD security events and be protected against insider threats?
Another of our keynote speakers at The Experts Conference, Randy Franklin Smith, longtime Microsoft MVP, dives into the details in this on-demand webcast, showing what these events look like, how to find them, the shortcomings to watch out for in the native web interface and PowerShell commands, and the limitations in O365 audit event retention.