Many organizations are moving services and resources to the cloud. The benefits include reducing IT costs, scalability, business continuity, and efficiency, which result in a competitive advantage. However, securing the cloud can provide a unique challenge. Many organizations rely on third parties to secure their cloud environment. A third party may tell you it’s secure, but how do you know for sure? How is the vendor protecting against sophisticated cloud attacks?
At Blackhat USA 2019, Sean Metcalf from Trimarc, and Mark Morowczynski from Microsoft, presented a session titled “Attacking and Defending the Microsoft Cloud (Office 365 & Azure).” During the session, they discussed how a bad actor would target the Microsoft Cloud. They walked attendees through the most common attacks and discussed how a bad actor would perform recon activities, target the Federation server by forging Security Assertions Markup Language (SAML) tokens, enumerate user accounts, and password spraying techniques. These attacks are not difficult to perform.
After discussing the ways a bad actor would target your Microsoft Cloud environment, they discussed how to defend against these attacks and compiled a Microsoft Cloud security checklist:
- Require MFA for all cloud admin accounts
- Configure Privilege Identity Management (PIM) for all cloud admin accounts
- Enable “Password Hash Sync” (Azure AD Connect)
- Ensure all apps use Modern Authentication (ADAL) to connect to Microsoft Office 365 services
- Enable user and admin activity logging in Office 365 (UnifiedAuditLogIngestionEnabled)
- Enable mailbox activity auditing on all Office 365 mailboxes
- Conditional access: Block legacy authentication
- Integrate Azure AD logs with your security information and event management (SIEM) or use Azure Log Analytics or Azure Sentinel
- Deploy Azure AD Banned Password for your on-premises AD
- Enable Azure AD Connect Health for Active Directory Federation Services (ADFS) and ADFS Smart Lockout
- Ensure all users are registered for multifactor authentication (MFA)
- Enable self-service password reset (SSPR)
- Enable MFA for all users via Conditional Access or Risk Based
- Disable legacy authentication entirely via Conditional Access
- FIDO for admin accounts
- Follow admin account best practices for cloud admins
- Audit consented permissions for apps and user access to apps
- Review app permissions
- Monitor app registrations
- Review the recommendations in Microsoft Secure Score and implement as many as possible
If you are already using or plan to use Microsoft Office 365 or Microsoft Azure Cloud, please consider using this checklist as part of your Microsoft Cloud app security plan for protecting your services and resources.