In today’s world, everything is focused on security. Every day we see more and more stories of companies or individuals getting compromised or having their information stolen. Personally, I have seen where companies have lost millions of dollars in a single day due to attacks. The ones I have seen could have easily been prevented. They say hindsight is 20/20 and that is really true. When I see a company that has just lost several million dollars and when the preventative cost was just $5 a user, they never like it. Often times this results from someone not seeing the value in it until it is too late.
A large number of the attacks that I have seen, could have been prevented by a combination of security policies and user training. You will often see where the users do not want to give time to the training part of this equation, but let’s face reality here. You number 1 defense against any attack is the user. It is also the most often exploited vulnerability.
Whenever a “bad actor” (fancy term for the person trying to do harm) is trying to infiltrate your network, they are going to look for the weakest vulnerability, the low hanging fruit. They are looking for the least effort with the greatest gain. Oftentimes, that means a user who will click on a link or respond to an email. These types of attacks are known as “phishing” attacks. They can be some of the easiest to avoid and some of the most expensive if you don’t. There are basically 2 parts to this the first one is the security of your email system and the policies that will protect you. The 2nd is the user knowing what to do.
NOTE: This pertains Office 365 email, if you have an on-premises exchange server the security will be slightly different in implementation.
The first part of this equation is the security aspects. There are several things we can do to beef up our security.
Multi Factor Authentication (MFA)
This is by far the most effective that I have seen in preventing access to your email. MFA is something that you get with any Office 365 subscription. There are three ways you can do this though. Like anything, you get what you pay for. Let’s look at the ways we can implement MFA.
MFA on individual user accounts
This is the most basic method and is not recommended as it does require you to turn this on for each user account. You do not get as much control over this as the other methods we are going to talk about. This is however, the one most people think about. When you login to the Office 365 admin portal, you can see a link at the bottom of any user account for Multi Factor Authentication. This is how you turn it on for individual users, this is also how you get confused people who look at say it is turned off. This will stay in a disabled state when the other methods are being used.
This is the new baseline security that Microsoft has implemented on all subscriptions. If you sign up for a subscription, this is what you get. These are all preconfigured settings to accomplish the following things;
· Requiring all users to register for Azure Multi-Factor Authentication.
· Requiring administrators to perform multi-factor authentication.
· Blocking legacy authentication protocols.
· Requiring users to perform multi-factor authentication when necessary.
· Protecting privileged activities like access to the Azure portal
This will help protect you by forcing a limited level of security on you and your users. I most often see this being applied when users are in the web version of outlook checking their email. Since this would be a hassle for a lot of people. You will see that they check that little box that says don’t ask me again for 14 days. Great that’s helpful. Especially if I happen to try guessing your password from the web client.
Well, I am not worried because no one knows my password is my dog’s name and my birth year. They could never figure that out. It is not like I have a public website that I post about everything that goes on in my life, or that reminds my friends when my birthday is right? Oh yea, social media.
We could go on and on about how to get your password, but let’s just assume for the sake of time that a bad actor has your password and your email address. With that assumption, they could access your email, start seeing who you send invoices to, or who you pay invoices for. Then all the bad actor has to do is send an invoice to someone you normally would pay with a different account number.
I have seen this kind of attack, and it works. A company let’s call them ABC & associates, started paying invoices to a vendor just like normal. However, the invoices were sent to their accounting department that had received an email they “thought” was from the vendor saying they changed their bank account info and to please update the payment method to reflect that. Great no problem, right? Well it was not really the vendor that sent that email. ABC & Associates kept paying and did not get a phone call from their vendor for about 6 months saying they had not paid them for 6 months. This could be a small amount if you have small bills. Some companies have very large bills and 6 months of payments can be a very large amount indeed.
This type of attack was made possible because someone check a box to not prompt for MFA for 14 days. How a simple check box can cost hundreds of thousands of dollars. This is an extreme case, but a true one. In that case the company lost around 4 million dollars in that 6 months.
What if we had a way to look at every login and ask, “should that person be logging in?” or “how did they get to another country in just 3 minutes?” Well, lets look at our next method
Conditional access uses policies to evaluate and make decisions on if that login should be trusted or challenged. At the most basic level, these are IF THEN statements.
IF user A logs in from location B
THEN allow login
These get very complicated very quickly, but they do provide a way to bring all the different things together that microsoft leverages for security. The policies that I implement as a baseline would be things like impossible travel. That means if you live in California and always login from California and suddenly you tried to login from Russia or China or England seconds or minutes after you logged in from California. Then I want to block that login or at the very least assign it a high risk.
Conditional access does this, I can even block logins from outside the USA. Do not pass go do not collect $200. You can use a policy to challenge the login and if the user at ABC & Associates, would have had this enabled. The bad actor would not have been able to login. The don’t prompt me for 14 days would basically not apply if a conditional access policy was triggered.
It works by taking a signal, (such as a login) and deciding on it, then enforcing that decision.
User A takes a vacation to England, and logs in from the Hotel
The conditional access policy would then force MFA on the login from User A
User A enters the correct MFA code or approves the app notification
Conditional access allows the login
If user A was not on vacation, they would get a text message or an app notification of the login attempt, and the conditional access policy would deny the login.
I prefer the app notification, as it allows the user to decline the login and alerts them that a login attempt took place.
Threat protection is a suite of protection services that Microsoft offers that provides pre and post breach tools. They focus on detection, prevention, investigation, and response.
The enterprise defense suite consists of 4 protection services.
- Microsoft Defender Advanced Threat Protection
- Office 365 Advanced Threat Protection
- Azure Advanced Threat Protection
- Microsoft Cloud App security
Microsoft Defender Advanced Threat Protection
Defender is an endpoint security platform, in other words, this is your antivirus on your computer. The goal is to prevent, detect, investigate, and respond to attacks.
Defender uses a combination of technology both on the device it is installed on and in the Microsoft cloud to accomplish this. There is a lot of behind the scenes work that goes on with both the Microsoft security team and the leveraging the cloud technology. When a new threat is discovered or reported to be investigated, it is placed in a lab environment. The Microsoft security team then lets it do whatever it is trying to do, so they can evaluate and learn about it. These are then studied, and preventative measures discovered and implemented. It is an ever-improving process, the security team is actively seeking ways to improve. Meanwhile the cloud infrastructure is learning about the threats and how they respond and what they look like. This allows more and more things to be caught and prevented before becoming a real problem.
Office 365 Advanced Threat Protection
Office 365 ATP works by creating policies to detect and act on threats. Basically, this is where it becomes a spam filter or at least that is how a lot of people think of it. There is actually a lot more to it that happens behind the scenes and more that you can control.
The basic Office 365 has a spam filter that works pretty well, this takes it about 10 steps further. With ATP you get a lot more control than just looking at the spam score on a message. You end up have threat policies that will help detect and prevent or take action on malicious messages. Reporting gives you a real time view of the attacks and actions taken. When something does happen, you can use the reports to start looking, and that opens up into an investigation portal. The threat investigation and response capabilities are what really makes ATP worth it to me as an administrator. I am often asked about tracking down something that happened and understanding where it came from or how. This helps me a lot, but what I notice more is how much I find was blocked. There are times when I go looking at the investigation portal and I find that there are tons of things that have been investigated by the artificial intelligence behind ATP that I never had to do anything about. That is the last piece to this puzzle, the Automated investigation and response portion. When threats are detected, ATP does not have to wait on anyone to tell it what to do. It can make the decision based on the policies and data that is being collected.
ATP is made up of the following tools;
- Threat protection policies
- Threat investigation and response capabilities
- Automated investigation and response capabilities
There are 2 plans available for ATP
As you can see from looking at the capabilities, the protection actually goes beyond just email. You can have the same policies apply to your Teams, SharePoint, and OneDrive as well. This is important because now you can protect against threats from users logging on to a machine that is not protected and uploading a malicious file.
Azure Advanced Threat Protection
Azure ATP is a little different from the Office 365 ATP. Azure ATP focuses on identity protection, but not in the way most people probably think about that term. Here we are talking about your Azure Active Directory identity. ATP is monitoring and analyzing user activity and information across all of the network. This allows ATP to create a behavioral baseline for each user, then we can identify anomalies and start taking action on suspicious activities and events. This is more than just email security, here we are talking about group permissions and access into all of the Microsoft products.
This is where you can get into device management with Intune, and even monitoring event logs on your servers to detect suspicious activity. Having ATP here allows reporting on these activities and allows you to control what happens when they are detected. This is were conditional access policies are created and applied. We can also have some of those conditional access policies to trigger based on suspicious activity. Where we are not 100% its bad, but we want to be cautious anyway.
If we look at how this fits together, you can see the various tools work together to provide a multi-layered security for your environment.
The ATP sensors can be installed on Azure VM’s or on-premises servers that you want to monitor. These are specifically designed to look at your domain controllers and use profiling, deterministic detection, machine learning, and behavioral algorithms to learn about the network and detect anomalies. This data is sent over to the Cloud App security tool.
Microsoft Cloud App security
Cloud app security is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.
“a cloud access security broker (CASB) is an on-premises or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed.” – Gartner
Well, at least it sounds impressive! Actually, the more you learn about it, the more impressive it gets. If we take a look at what it does, and how it is gathering all the data. We can see that everything is sent here, and then we have policies that will control access or alert on the event.
Sometimes, you do not want to prevent the access, but you do want to know about it. Cloud app security allows you to set alert policies on all the different areas. I like having a distro these go to with my IT staff. This way you do not have a single point of failure. You can have multiple people looking at them. This is where I usually catch people trying to figure out what the logins are or trying to perform attacks to break passwords and get into the network. Once we see those, we can start taking action to actively prevent the bad actors.
The second part to our equation is user training. No system is perfect, and no system will be 100% protected. There is always the danger of a user plugging in a flash drive or clicking on an email he shouldn’t.
We all like to think we are smart enough to not be fooled right? Well that is where we are most vulnerable, we tend to think we won’t fall for it or it won’t happen to use. Think again. Just having in mind that you won’t fall for it, makes you vulnerable to it. I have seen lots of IT admins falling for phishing scams or trying to use shortcuts because they are smarter than the attacker. What does the bad actor do with their time? They spend it all on finding ways into your network, what better way than to have you think the bad actor is dumb. Never underestimate your enemy or overestimate yourself. We all need to do training to stay current and remind ourselves.
There are too many ways to go into how to train your users to get into. Just remember your IT staff are users too. Try to have a training policy in place for your users. I like the knowbe4 platform as it provides some very good training and analytics on the results. This is just one kind of training there are others out there.