Recently, Microsoft  reported that the company was the subject of  a cyberattack from an external threat actor called Storm-0558. Microsoft stated that the objective of most Storm-0558 campaigns was to obtain unauthorized access to email accounts belonging to employees of targeted organizations. The modus operandi employed by the threat actor was to gain access through credential harvesting, phishing campaigns, and OAuth token attacks. 

‍

It's important to note that the actors were keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures. According to Dark Reading, a stolen Microsoft account (MSA) key enabled the Storm-0558 APT group to create fake authentication tokens, posing as authorized Azure AD users, which granted them entry into Microsoft 365 enterprise email accounts. This breach potentially provided access to sensitive information within these accounts.

‍

I’m sure there are a lot of interpretations along with Do’s and Dont’s that are being recommended, Analyzing this incident from an access abuse perspective, four critical considerations stand out

‍

• The Need For Granular Access 

Microsoft reported that the actor’s core working hours are consistent with working hours in China, this highlights the importance of granular access and tracking users and their source and location of access. Granular access and tracking of the users login sources and patterns of access to detect anomalies are foundational to detecting  access abuse. However, that seemed insufficient to prevent this attack

‍

• The Overwhelming Consequences Of Access Federation Through SSO Or Tokens 

The pilfered MSA key could have also allowed the threat actor to generate access tokens for various Azure Active Directory applications, including those that support personal account authentication like SharePoint, Teams, OneDrive, and customers' applications using the 'login with Microsoft' feature, as well as multitenant applications.

‍

Microsoft Account (MSA) keys are the foundation for authentication in the Microsoft ecosystem, allowing users access to various services like Azure Active Directory (Azure AD), Microsoft 365, and more. Unfortunately, when these keys fall into the wrong hands, they can lead to devastating consequences. Federated access can be a boon or a bane as this incident clearly demonstrates

‍

• Urgent Need For Real Time Detection And Remediation Of Threats 

Unfortunately, complex  APT attacks are hard to detect, let alone the mitigation. It takes a long time before such breaches are reported. We have seen this too often, as in the case of the Okta breach. The underlying complexity and the absence of authentication logging in many organizations means that the full extent of the actual compromise resulting from this incident will likely require several weeks, if not months, to ascertain. The initial activity of Storm-0558 was reported on May 15, 2023; the actual breach report came on July 11, 2023. 

‍

• Tracking Unknown And Evolving Threats: This incident highlights the flaw in the current authentication mechanism where an external threat actor can mimic approved behaviors to go past the gates. Unfortunately, this has become possible because the focus is more on authenticating the user rather than on the behavioral patterns of the user gaining access and the potential to deploy,  the stolen credential tokens for privilege abuse. It's important to understand the user footprint, their entitlements, and activities across the environment to build the context behind every user and derive their intent as to who gets to do What, When, Where, and Why?

‍

• Limitations of current IAM and PAM solutions: This incident highlights the glaring and largely under-focused  aspects of the downstream potential of privilege abuse that could take place once the hacker gains privileged access to the organization’s environments. Most of the current tools largely focus on two aspects 

‍

• They mostly gate known malicious behaviors through policies. But it's more important to track emerging behavioral tactics deployed by adversaries, as this incident illustrates, which is a gray area today. 

‍

• They authenticate the user along with MFA and granular access through the Zero Trust framework, but these gating mechanisms are under siege with newer and sophisticated APTs, which are not accounted for. 

‍

PAM solutions gate activities at the session level to block suspicious activities. But with stolen credentials and an external threat actor compromise, this current incident demonstrates that a PAM solution couldn't have blocked these activities 

‍

Irrespective of the end game of the threat actors, the foundations for most of the breaches stem from compromised credentials (source: Verizon 2023 Data Breach Investigations Report). Current IAM and PAM solutions aren't purpose-built to address escalating behaviors of the Advanced Persistent Threats. Privilege abuses are hard to detect and pose significant challenges for organizations.  Amongst all the various security-related events within organizations, access events are Here-And-Now events. A minute late may prove to be too late

‍

Malicious actors who gain privileged access can exploit their extensive permissions without raising alarms, making it difficult for traditional security measures to identify and prevent such abuse effectively. Therefore, there is a crucial requirement for a tool capable of real-time detection and remediation of both known and unknown behaviors across an organization's perimeter. This tool should rely on advanced behavioral analytics and artificial intelligence to continuously monitor user activities, analyze access patterns, and promptly detect any suspicious or anomalous behavior associated with privilege abuse. With such a robust solution in place, organizations can proactively protect their critical assets and respond swiftly to potential threats, minimizing the risks posed by privilege abuse.

‍

‍