COMMENTARY: SolarWinds, Colonial Pipeline, Hafnium Exchange. What do these attacks have in common? Beyond their status as some of the most high-profile attacks of recent years, these breaches signify a shift in the attack path for threat actors. Cyber threats increasingly target cloud environments, typically Microsoft Entra ID (formerly known as Azure AD), then move to on-premises Active Directory (AD) — or vice versa.
As the primary identity store for cloud and hybrid environments, Entra ID has become a prime target for attackers. Often, a threat actor will use non-privileged or lower privileged accounts to move laterally across the network, looking for a gap that lets them gain more privilege. Higher privilege allows for more potential for abuse and exploitation. It’s a path common among ransomware operators and works as well with cloud identity as it has for AD. Cloud-centric attacks such as targeted phishing campaigns against highly-privileged users, like global administrators, are also a continual concern.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Unfortunately, too often than not, organizations are implementing weak identity controls. According to Microsoft, insufficient controls on privilege access and lateral movement played a part in 93% of ransomware incident response engagements.
Bolstering security controls starts with identifying the mistakes organizations most commonly make. Here are the three that contribute to Entra ID’s vulnerability to attack:
Too many global administrators
Global administrators have full access to Entra ID resources, as well as Microsoft 365 and Azure that are tied to the Entra tenant, and can manage access to all of its administrative features. But because those admins don’t really need that level of access 90% of the time, their accounts represent an unnecessarily rich target for attackers.
Top-level execs or CTOs may get global access because of their position in the business, but never actually use those privileges. Employees who need expanded privileges for a certain project or procedure are given admin rights, but no one circles back to take them away. And the more people who have unlimited access within an organization, the larger the attack surface becomes.
Microsoft recommends that companies should have fewer than five global admins, regardless of their size. In certain circumstances, companies may need to grant admin access to more users, but teams should restrict this to specific periods, via time-based access controls that allow access for, one hour, one day, or one week, and automatically take those privileges away when the time is up.
In addition to maintaining a minimal number of privileged users, regularly reviewing privileges and removing high-level access rights from users who don’t need them limits the opportunities attackers can use to gain a larger foothold in an environment. While it’s time-consuming to manage privileged users — and some people may object to losing privileges — it’s essential to reducing the organization’s risk.
Lack of privilege separation
Privilege separation represents another way to shrink the attack surface by giving users separate sets of privileges for each of their accounts and requiring that they sign in to those separate accounts depending on the work they’re doing.
A security team member may have an administrative account in Entra ID, but doesn’t need admin privileges in Office 365. Or they may have a global admin account they don’t need while working on other systems that they manage or, even worse, while they do their daily work that requires no privilege at all. Despite this, organizations often don’t separate privileges according to these accounts.
By separating privileges, starting with those who have global admin access in one environment, organizations effectively reduce the risk of misuse of administrative rights, filling a critical layer of a defense-in-depth strategy. If a user’s unprivileged account gets compromised, an attacker's ability to move laterally and gain access to critical systems or data becomes limited, if not stopped altogether. If a user signed-in as an admin clicks on a phishing email that’s part of an attacker-in-the-middle scenario and obtains the users access tokens, that attacker has those administrative privileges. If that same user clicked on the same email while using a non-privileged account, the attacker’s ability to move through the cloud is limited.
Leveraging roles in Entra, and potentially groups assigned to roles, can help simplify management of privileged roles within Entra ID. Further, using tools such as privileged identity management (PIM), can help offer a lifecycle around the privileged user objects, while the non-privileged users are handled by standard organizational lifecycles, usually driven by HR systems. This separation also helps protect against lingering accounts that have been paths to compromise after an employee has left the organization.
Privileged hybrid users
This issue often intersects with privilege separation. Organizations are often tempted to source highly- privileged accounts, like global administrator, from AD. If those accounts are synched, it gives attackers an opportunity to expand their attack by compromising an account in AD and using that access to move into the cloud environment. As Entra privileged roles and users have no native privileged meaning in AD, organizations also create a path of additional, and unnecessary work, to try and protect these accounts.
Keeping AD and Entra accounts separate can help minimize the impact of any attack made against either asset. And, continuous monitoring for unusual activity within both types of accounts will help detect and stop malicious activities, including any membership changes to privileged accounts and groups.
Because privileged users have access to an organization’s most valuable data and services, they are a prime target for threat actors. Failure to effectively manage access privileges for Entra ID can create a host of security risks that can ultimately result in compromised environments.
Companies that lack visibility into the privileges their users hold are potentially leaving themselves vulnerable to attack. By giving priority to Entra ID management and ensuring that least-privilege principles are applied throughout the enterprise, organizations can raise the level of difficulty for attackers.
Eric Woodruff, senior security researcher, Semperis
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.