As Scattered Spider headlines have reminded us of late, ransomware is always in season. The group has been around for many years, and this year it is pivoting from industry to industry to find new targets. In addition to using social media to identify relationships to better target individuals for phishing attacks, the group also impersonates help desk personnel and uses a variety of techniques to gain access, identify network targets, and surveil cloud locations for databases and storage containers to attack.
If it feels as if attackers like Scattered Spider know more about our networks than we do, that’s likely because they do. One thing they do know is that most enterprises are not using modern password processes such as passkeys. If you’re still using plain passwords and don’t have multi-factor authentication (MFA) in place, consider your days are numbered if you haven’t been attacked already.
So, as you put migrating to Windows 11 atop your to-do list this summer, evaluate your organization’s password strategy and consider putting passwordless solutions such as passkeys into your authentication regimen. Here’s how to get started.
Ensure secure passkey signup
First, you’ll need to evaluate your organization’s use of the Microsoft Authenticator app to ensure you have enabled using it for passkeys.
Go to Microsoft Entra admin center, then to Protection, then to Authentication methods. Choose Passkey (FIDO2) settings and ensure you select iPhone and Android AAGUID as an allowed key for Microsoft authenticator if you have not begun deployment.
Susan Bradley / CSO
Next add Conditional Access policies to ensure user sign-ins are evaluated for various conditions, such as incompatible travel, in which someone logging in from one location logs in soon thereafter from a highly divergent geographical location. Note that you may need to sign up for additional licensing to support this level of cloud review.
If you have high-risk factors, you may have to set up log-in policies that allow MFA and passkey registrations only from trusted locations or devices. The pandemic opened us up to logins from almost anywhere, but with Windows 11 migration on order, now is the time to ensure we verify setup on our own terms.
You may need to consider additional setup policies similar to what is used for signing up for passports: a process whereby an individual either comes into a physical location, shows their identification, and performs some sort of external verification, or in the case of login credentials such as ID.me for government sites, has a process that mandates the review of a scanned driver’s license and a webcam to provide matching verification.
Signup processes should not only meet your organization’s needs but also local jurisdiction’s privacy practices dealing with potential employees.
Take control of your authentication protocols
Because security must forever be monitored and tweaked, you’ll also want to review your Azure infrastructure to ensure you are following the latest security guidance and Azure security benchmarks.
As you do, review your need for legacy authentication protocols. SMB flavors should be limited. NTLM should be either already phased out or in the process of being abandoned in favor of Kerberos or more modern techniques.
If you do use legacy authentication, look for third-party solutions to add multi-factor authentication to ensure such legacy protocols are protected as much as they can be. Services such as duo.com can help protect insecure protocols that are still a key part of your firm’s infrastructure.
Consider setting up policies to block legacy authentication protocols. Once again, turn to Conditional access to set up policies to block such access. Before rolling out the policy, audit your organization to review what items are still using legacy protocols.
Browse to Entra ID > Monitoring & health > Sign-in logs.
Add the Client App column if it isn’t shown by clicking on Columns > Client App.
Select Add filters > Client App > choose all of the legacy authentication protocols and select Apply.
Also perform these steps on the User sign-ins (non-interactive) tab.
Filter and view the client app field under the basic info tab to review what legacy authentication protocol has been used. You may have to jump back to legacy view in the portal to review for such protocols.
Susan Bradley / CSO
Ideally you should have no such protocols observed.
Susan Bradley / CSO
You can then prepare your policies to block these legacy protocols as a preventative measure.
Additional tips for security and recovery
Where practical, disabling federation trust relationships for authentication to Microsoft 365 will ensure attackers are less likely to jump from on-premises Active Directory to your Microsoft 365 cloud services.
You should also set up cloud-only access accounts that never touch your on-premises AD network. Administrators should consider the two types of networks, cloud and on premises, as two hostile environments that should be separated as much as possible and kept from contamination.
Last, but not least, plan for these identity attacks and have a playbook for recovery. Ransomware and breaches will occur. In the past merely restoring from a backup and rebuilding AD was enough of a process. Now with identity being the key way attackers gain access, they will be looking for ways to keep persistent access to the identity they have taken over even after your rebuilding techniques have gotten under way.
Ensure an account doesn’t have delegations, trusted devices suddenly added to the devices list, permissions adjusted, and other techniques that attackers use to maintain access throughout the intrusion. You will need to clean up these processes and monitor after the fact for any unusual activity or traffic from the accounts used in the takeover.
Depending on the account, you may need to disable it and start fresh with another user account to set up a clean identity free from tokens or authentication techniques shared with the attacker. Rather than merely cleaning, rebuilding, and handing the computer back to the user, you may need to “clean up” their identity before you consider the incident under control.
Like it or not, ransomware is here to stay. Taking charge of your authentication and access policies provides a strong foundation for countering its impact.
No Responses