Imagine a legacy email account that held “read access” to any account in your network. You might say “Hummm” and “Very Interesting.” But now imagine that your network was the size of Microsoft Corporation, could that be a catastrophic problem? In reality, the news could actually be worse, Microsoft is actively attempting to remediate and resolve this networkwide identity breach currently. The compromise and intrusion known as Midnight Blizzard has been a Cybersecurity nightmare for Microsoft since last year. Any quick online search will report the depth and breadth of this Russian attack and the problem spans both government and private industry.
Hacked private email, Viruses, Ransomware, Trojan Horses, Malware, Intellectual Property theft, Identity theft, etc., etc., With all of the security breach events we have all witnessed over the past few decades, what should we be most concerned about, what are the largest looming threats, and why? We asked industry experts and what they had to say was enlightening, also alarming, and it mostly seemed focused on the end-user and today’s modern attack surface which seeks to compromise an individual’s identity.
It’s a fact: It is impossible to say that an organization can stop cyber attackers 100% of the time, but there are new capabilities that blue-teams can deploy now to reduce their attack surface and, more specifically, their identity attack surface. “CDM” or Continuous Diagnostics & Mitigation is precisely one such capability. CDM is a critical $6 Billion + CISA / DHS Cybersecurity program rapidly spreading across government and private industry. Today, over 300 federal agencies have adopted CDM as an essential core capability for their internal risk management and quickly we have seen corporate American private enterprises following suit.
Recent breaches, beyond the astounding Midnight Blizzard attacks, show the detrimental impact of the identity attack surface—just look back at SolarWinds, U.S. OPM, Facebook, Experian, Marriott and so many other as public examples. At US ProTech, we’ve seen repeatedly where traditional multi-factor authentication (MFA) fails. With so many options for gaining initial network access, organizations must go beyond traditional MFA and well endpoint security and use identity protection methods that focus on stopping lateral movement and closing the backdoor for attackers. This objective is met when you have insight and control over any and all modifications to Users and Groups permissions.
Gaps in an organization’s identity security posture continue to expose its IT infrastructure and make it easy for Technical-Adversaries to gain access—essentially walking through an unlocked back door.
A wide range of Cybersecurity tools are entering the market to address these identity concerns. Examples of tools that track lateral movement include ANAMO and LATMA:
- Anamo CDM delivers near Real-Time. Risk-Weighted. e-Discovery, and data analytics. Anamo is focused on internal e-Discovery and Forensics which capture lateral and vertical user movements along with many other attack vectors such as permission modification and software vulnerabilities. Anamo: https://anamo.io/
- LATMA is an Open-Source and essentially connected to Active Directory (AD). It seeks to identify algorithms to identify suspicious movements. The tool works by using a series of techniques in the environment – collecting authentication traffic from AD.
No organization is immune to cyber threats, and the recent Midnight Blizzard attacks on Microsoft prove just that. Phishing attacks against major organizations will continue to prevail, and we can only expect threat actors to get more sophisticated and inconspicuous in the artificial intelligence (AI) era.
Identity continues to be the most used attack method and weakest link in everyday security postures.
The Midnight Blizzard attack on Microsoft was coordinated by a threat group affiliated with Russia’s Foreign Intelligence Service—formerly known as Nobelium. According to Microsoft’s statement, the attacks were accomplished using a password-spraying method to gain access to a test account; once proven successful, this led to the compromise of corporate email accounts, including those that belonged to senior leadership. From there, the hackers were able to exfiltrate account identities to access emails and attached documents. The breach is said to have occurred in November 2023; however, Microsoft did not detect it until months later.
Identity continues to be the most used attack method and weakest link in everyday security postures. Every organization needs to reevaluate and evolve its cybersecurity strategies to keep pace with the sophisticated tactics employed by nation-state actors and keep a hyper-focus on identity. In fact, we learned from one partner that 83% of all businesses have experienced data breaches involving compromised credentials, and 65% haven’t implemented multi-factor authentication (MFA) where it matters.
The tactics of Midnight Blizzard initiated through a password spray attack on a legacy, non-production test tenant, underscores several critical areas for immediate action and reflection within organizations’ everyday cybersecurity practices. There is no better time than now to consider what tools you have in place and how those tools will specifically provide insight and e-discovery functionality related to the identity attack surface.
Top 10 – Improving Cybersecurity in the Enterprise
Gaps in an organization’s identity security posture continue to expose its IT infrastructure and make it easy for bad actors to gain access—essentially walking through an unlocked back door. Threat actors will continue to capitalize on this cybersecurity gap as it’s relatively easy to escalate privilege and move laterally throughout an organization without triggering alerts—just like we saw with Midnight Blizzard.
Security teams must evaluate and enhance current security measures to best protect their data, employees, and attack surfaces. Excellent practices include:
- Establish Ever-Advancing Policies & Procedures
- Conduct Enterprise-Wide Cybersecurity Assessments
- Enable CDM Real-Time Discovery
- Prove e-Discovery functionality
- Safeguard Data from Ransomware
- Deploy MFA (Consider KYC & Facial Recognition)
- Test Automated Notification Scenarios
- Test Tenant Over Privileges (AD)
- Conduct Regular Penetration Testing
- Continue Phishing Education
Solution Considerations
Options include Commercial SaaS products and Anamo CDM is one such product that is functional across a variety of operating systems. There are also a variety of Open-Source services that may offer certain different functionalities. Nevertheless, the need to address Users and Group and their access to your network should be a top priority and not a basic wish-list item for your next fiscal budget.
US ProTech offers complete solutions addressing all of these critical aspects as well as many more. Contact us for a free consultation and learn just how affordable your investment in security can be, today.