agenda - sans institute...•pull from azure ad graph api •azure event hub •pre-built...
TRANSCRIPT
Agenda
Password Spray
One Friday afternoon
Colleague
Account Executive
Customer
Sunday
Customer
Password Spray
Newyear2020!Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
Newyear2020!
730,000+Compromised accounts due to password spray
(last 4 months)
~100%Percentage of password spray attacks
from legacy protocols
Let’s agree on terminology
Basic Authentication
Legacy Authentication
Modern Authentication
Legacy Authentication, examples…
• POP, IMAP, SMTP, etc.
• Most mobile mail apps
Legacy Authentication, examples…
Mail clients that use Legacy Auth
Office 2010 and older
Office 2013 by default (can use modern auth with reg key)
Clients using older mail protocols
• POP, IMAP, SMTP, etc.
• Most mobile mail apps
Legacy Authentication, examples…
Mail clients that use Legacy Auth
Office 2010 and older
Office 2013 by default (can use Modern Auth with reg key)
Clients using older mail protocols
• POP, IMAP, SMTP, etc.
• Most mobile mail apps
Agenda
Finding Legacy Authentication
Finding Legacy Authentication In Azure AD
Finding Password Spray due to Legacy Authentication
in ADFS
ADFS Audit 411
Parsing script:
https://gallery.technet.microsoft.com/script
center/ADFS-Account-Lockout-and-
2d9a9a90
For 2016+, Audit 1203
Azure AD Connect Health Risky IP
Report
Azure AD + Azure Monitor =
Storing massive
amounts of
unstructured data
Big data streaming
platform and event
ingestion service
Collects telemetry
to retrieve and
analyze data
Store (JSON) Push to SIEM Analyze
Pull (JSON)
Azure AD + Azure Monitor =
Azure Sentinel
• Pull from Azure AD Graph API
• Azure Event Hub• Pre-Built Integration into Azure Monitor, will PUSH events to SIEM
• Splunk (aka.ms/aad2splunk)
• Sumo Logic (aka.ms/aad2sumo)
• IBM QRadar (aka.ms/aad2QRadar)
• ArcSight (aka.ms/aad2Archsight)
• SysLog (aka.ms/aad2Syslog)
• Azure Log Analytics or Azure Sentinel
• https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory
Azure AD Logs into SIEM
Azure Log Analytics Workbooks
Legacy Auth
Azure Log Analytics Workbooks – Edit Mode
Azure Sentinel Workbooks
Agenda
Blocking Legacy Authentication
Identity Protection
Role Based Access Control
Core Store
Azure Active DirectoryAuthentication
Services
Office 365
Conditional Access Engine
Legacy Authentication
Client
Microsoft Cloud Services
Client Network
IDP
On-premises
DC
******
U/P App Cache
Conditional Access Policies
Exchange Online
AD FS
Azure AD
Key
Authentication flows
Authorisation flows
App-Specific traffic
Stop!
Mailbox Auth Lockdown
Authentication Policies
Client IP Block
Extranet Soft Lockout
Extranet Smart Lockout
AD FS AuthZ rules
Blocking Legacy Auth in Exchange
https://docs.microsoft.com/en-
us/powershell/module/exchange/client-access/set-
casmailbox?view=exchange-ps
https://docs.microsoft.com/en-us/exchange/clients-and-
mobile-in-exchange-online/disable-basic-authentication-
in-exchange-online
https://docs.microsoft.com/en-
us/powershell/module/exchange/organization/set-
organizationconfig?view=exchange-ps
ADFS Extranet and Smart Lockout
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-
lockout-protection
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-
protection
Blocking Authorisation in ADFS / Federation Provider
https://docs.microsoft.com/en-us/windows-
server/identity/ad-fs/operations/access-control-
policies-w2k12
Blocking Legacy Authentication in Azure AD
• Block today with Conditional Access
• Only Service Accounts / apps
should remain• Ring-fence and protect
• Report Only mode
https://docs.microsoft.com/en-us/azure/active-
directory/conditional-access/concept-conditional-access-
report-only
Agenda
Go Do’s!
Go Dos!
Enable MFA / Go Passwordless / Device Trust
https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing
Smart Lockout https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-
lockout-protection
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-mailbag-discovering-and-
blocking-legacy-authentication/ba-p/369725
Go Dos!
Ask for forgiveness, not permission
https://aka.ms/passwordguidance
Deploy Azure AD Password Protection to on premises
https://aka.ms/deploypasswordprotection
https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity
Bonus Content: I’ve been Legacy Auth’ed! Help me!
https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
https://blogs.technet.microsoft.com/office365security/finding-illicit-activity-the-old-fashioned-way/
Best practices for defending against password spray attacks
https://www.microsoft.com/en-us/microsoft-365/blog/2018/03/05/azure-ad-and-adfs-best-practices-defending-
against-password-spray-attacks/