Council Post: Get Control Of Permissions To Limit The Blast Radius Of A Cyberattack

Raj Mallempati is COO at CloudKnox Security, responsible for CloudKnox’s overall business and go-to-market strategies.

The fallout from the SolarWinds supply-chain cyberattack affecting U.S. government agencies and a slew of corporations won’t be fully known for some time, as agencies and businesses work to determine the extent of damage done. But enterprises can do something now to shore up their defenses against similar types of widespread attacks by taking a hard look at improving identity management and their control over permissions. Getting command over an enterprise’s identities might not prevent an attack, but it can limit the blast radius in Azure Active Directory and the cloud when one hits while reducing risk and laying the groundwork for a zero-trust architecture.

The attack, widely attributed (subscription required) to Russia’s SVR intelligence agency and its APT29 hacker group, dubbed Cozy Bear, executed with a compromise of SolarWinds and others, which supplies IT management software to thousands of government agencies and private companies. Hackers stealthily broke into SolarWinds’ systems and implanted malware that, beginning around March of 2020, made its way into customers’ Microsoft systems via malicious dynamic link library (DLL) files in SolarWinds’ software updates, creating back doors attackers could use to enter the customers’ IT systems.

The attack compromised federal agencies, including the Department of Homeland Security, the Commerce Department’s National Telecommunications and Information Administration (NTIA) and the Treasury Department, where the attackers gained access to email accounts of top officials. Major IT corporations, including Microsoft, Cisco and VMWare, were also hit, as were a number of state and local government agencies and companies managing critical infrastructure in the electric, oil and manufacturing industries. Assessing the full impact is complicated by the fact that the clandestine attack, carried out largely by manual execution, went unnoticed for months until security company FireEye discovered in early December 2019 that it was infected by the malware.

The attack spread through the use of compromised credentials, underscoring why identity management can play a part in defending against future such attacks.

In an analysis of the attack, Microsoft outlined two methods through which systems can be compromised — one through Security Assertion Markup Language (SAML) tokens and the other through compromised service account credentials. In the case of NTIA, for example, the attackers reportedly were able to trick the authentication controls in Microsoft Office, allowing them to monitor internal email traffic for months and gain user permissions.

The malicious code that hackers inserted in the SolarWinds Orion infrastructure monitoring and management software gave them a foot in the door of the network, which they could use to gain elevated permissions. “Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization’s global administrator account and/or trusted SAML token signing certificate,” Microsoft’s analysis said. Using the signing certificate, the attackers can then forge SAML tokens, impersonating even highly privileged users, and gain access to any on-premises resource or cloud environment.

With access to a global administrator or other highly privileged accounts, an attacker could then add their own credentials to existing applications, allowing them to call application programming interfaces (APIs) with the permission for that application.

Other affected companies, security firms and organizations, such as the Cybersecurity and Infrastructure Security Agency (CISA), have also released analyses and suggested countermeasures enterprises can take in the wake of the attack. Updating antivirus and endpoint detection and response (EDR) capabilities, securing SAML token signing keys and strengthening passwords are all important steps to take. Based on my work in the cybersecurity industry, here are a few additional detection and countermeasure recommendations.

Visibility Is Key To Managing Identities

Looking for behavioral anomalies with Microsoft Azure Active Directory (AD) logs can help detect signs of intrusion. Microsoft Graph, a unified API endpoint that hosts Azure AD Identity Protection APIs, and Azure Active Directory Graph can also be used to identify behavioral changes in the cloud. As long as your organization has established a baseline of typical behaviors, deviations from those behaviors, such as a spike in permissions by an account that hasn’t used them before, are good clues that something is amiss.

Organizations that have not encountered any indicators of compromise (IoC) so far should nevertheless take this opportunity to strengthen their cloud permissions. You can start by gaining complete visibility into human and nonhuman identities, particularly the service accounts designated for both internal and external applications, covering all the entitlements provisioned and identifying which are actually being used. This is a critical step that will allow your organization to provision only the permissions it needs, which can minimize the blast radius of an attack. As part of the process of getting visibility into your systems, you can:

• Identify and remove unnecessary high-risk permissions assigned to users and service accounts.

• Remove low-hanging fruit such as inactive identities and stale, unused resources resulting from employee turnover, migrations to new applications and other changes.

• Set least privilege policies based on usage in order to trim down the number of unused permissions across your entitlements base. And, as Microsoft suggests, leverage just-in-time virtual machine access or privileged access management to assign right-sized temporary or permanent permissions.

• Control access to PowerShell, which Office 365 and Exchange Online users typically have by default. PowerShell automates tasks via a command-line shell, so it’s a good idea to remove that default access and reserve it for administrators only.

Following these suggestions should limit your Azure AD and cloud blast radius while better positioning your organization for implementing a defense-in-depth strategy for permissions. It’s also an essential component of moving toward a zero-trust strategy for identity and access management, something organizations in both the public and private sectors are making a priority for securing systems in an increasingly mobile and cloud-based computing environment. You can’t have zero trust unless you’re actively managing permissions. Failure to take those precautions will expose an organization’s infrastructure to massive risks. 


Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?


Speak Your Mind

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Get in Touch

350FansLike
100FollowersFollow
281FollowersFollow
150FollowersFollow

Recommend for You

Oh hi there 👋
It’s nice to meet you.

Subscribe and receive our weekly newsletter packed with awesome articles that really matters to you!

We don’t spam! Read our privacy policy for more info.

You might also like

Roadside Attractions – A Startup’s Plan To Support...

Chris Patton-Jones, CEO of Connected Kerb Connected...

An Average Booth Costs $42k. Here’s What You Can...

Even though venues across the county are empty, B2B...

How To Prove Women And Minorities Matter To Your...

Getty How do you change the brand of...