I listened to this brief interview with Trimarc Founder and Chief Technology Officer Sean Metcalf and thought it was worth sharing as this has been a topical discussion both internally at work and also with customers recently.
You can read (or listen) to the full article here (approximately a 5min read):
There were a number of things that stood out to be in particular, so if you’re short on time you may just want to read (or listen!) to these rather than the entire article:
- Many organisations are too permissive with their user settings
- Often this is either out of ignorance or preference to reduce workload by allowing more users to take actions that would normally be restricted to an administrative role in an organisation
- Identity remains a key attack vector, so taking the time to secure it is critical.
- OAuth 2.0 requests phishing users into giving away access by fraudulent app requests
- This is super interesting as many users know that SSO is a good thing, and are familiar with an app requesting access to organisational information through an OAuth request. The trick here is when a user is duped into granting this access by a phishing attack. As Sean points out:
Attackers sometimes phish a user and the user sees what looks like a legit application requesting permissions, but it is an application that the attacker created. The attacker then has full access. The attacker could pull data through the application continuously and the user does not even know about it. This is not just a Microsoft thing. This happens due to OAuth and other cloud providers such as Google are susceptible.Strategies for securing identities in Azure Active Directory with Sean Metcalf – Microsoft Community Hub
- Attackers phish a user with MFA prompts hoping they will eventually hit “approve” instead of “deny” on the request.
- In my role at Microsoft, I had a spate of this in 2022 and, given Microsoft was using passwordless authentication there was no need for my password to have been compromised to generate these MFA requests. A bad actor simply had to enter my email address at https://portal.office.com for example and it would push the MFA request. However, because Microsoft used number matching I could not ‘accidentally’ approve this as I could not see the matching number on the device triggering the MFA request. Interestingly, many of these MFA requests were coming from the wider Seattle region (which made me wonder if this was an internal anti-phishing testing – so I did report it to the internal security teams to be on the safe side):
- Conditional Access is awesome and is effectively an identity firewall
- I’ve had a few chats with customers recently who either knew little about Conditional Access, or were learning more and loving it. Sean acknowledged the growing importance of CA to securing the identity of users in a cloud-first world (read more here if you’re new to Conditional Access)
- The challenge of “identity nexus” – either the interoperability of on-premise/cloud identities, or the cloud/cloud federation and unintended security holes being introduced
- This is a very real challenge and as many customers increasingly expect/demand the ability to have that seamless sign on experience between platforms, the opportunity for lateral movement by bad actors across platforms can materialise.
- This can mean that a change made in the cloud with AAD can affect permissions for users/groups on premise, or in a different and federated cloud.
- Hybrid components such as AzureAD Connect, Seamless Single Sign On and Pass Through Authentication (PTA) are all possible attack vectors to be aware of.
Sean’s final comment is worth repeating verbatim when it comes to implementing strong protection of identity:
Strong authentication, like Multifactor Authentication, secured systems like Privileged Access Workstations for highly privileged accounts, and limiting rights that service accounts and third-party systems have are the most important ways to protect identity.Strategies for securing identities in Azure Active Directory with Sean Metcalf – Microsoft Community Hub
Listening, Not Reading
I mentioned in the intro that I listened to this interview, rather than read the transcription and I did that using the Edge browser “Read Aloud” functionality – if you’re new to this, check out Read aloud (microsoft.com) for guidance.
To see it in action, here is a quick recording I made:
I’ve been using this more and more recently. For example, a friend sent me an article to read and I used Read Aloud on Edge browser on my iPhone to listen to it whilst walking to the bus stop. With the Azure Cognitive Services powered voices sounding more realistic than ever, it’s not an unpleasant way to quickly absorb content whilst on the go.