fbpx 2023 identity security trends and solutions from Microsoft | SUPERHUB

This website is using cookies.

We use only non-persistent cookies that are essential for the normal functionality of the site. No personal data are stored in our cookies.

Welcome to 2023! I wanted to kick this year off by having a quick look at the trends in identity security, what you can do about it, and what Microsoft is doing to help you. One of the things we talk about on the team is “shiny object syndrome”—there are a ton of innovative and scary attacks and research out there. Unfortunately, each one tends to pull us into “but what about…” where we’re being asked how we will handle the nascent headline grabber. This approach can whipsaw teams and prevent the completion of our defense projects, leaving us exposed to old and new ones.

Attackers will innovate—our response in the defender community needs to be thoughtful and strategic. But we don’t need to panic. We can take as an example ransomware attacks. These are scary and grab headlines because of crippling work stoppages or huge ransoms. But recent studies by Expert Insights confirm what we’ve known for ages—more often than not, attacks like ransomware are the second stage, predicated by an identity compromise. In fact, if you read all the attention-grabbing headlines, you’ll find that most novel techniques rely on compromising identity first. This shows the importance of getting our identity basics right and keeping our eyes on the ball.

Pamela Dingle gave a keynote at Authenticate 2022 in which she discussed identity attacks in terms of waves (and has recapped on LinkedIn—if you haven’t read it, you should). She was kind enough to let me weigh in, and I’m going to borrow the paradigm to frame our guidance. Pam likened escalating identity attacks to threats in a voyage in her talk. These threats decrease in volume as they increase in sophistication and novelty: 

This is an awesome frame for thinking through the attacks, so we’ll use it here to complement her blog with concrete features and guidance. I am adding one more threat to her framework—the critical importance of posture agility that helps us deal with the next “rogue wave.” Hopefully, this framing will help you build out a strategic approach that addresses the critical issues you are facing now, help you invest thoughtfully for emerging threats, and set you up for defensive agility in the year ahead. Let’s dive in.

 

Password attacks

Simple password attacks are pervasive. They are the water we swim in. I detail these extensively in “Your Password Doesn’t Matter.” The dominant three attacks are:

·  Password spray: Guessing common passwords against many accounts.
·  Phishing: Convincing someone to type in their credentials at a fake website or in response to a text or email.
·  Breach replay: Relying on pervasive password reuse to take passwords compromised on one site and try them against others.

These attacks are effectively free to execute on a massive scale. As a result, Microsoft deflects more than 1,000 password attacks per second in our systems, and more than 99.9 percent of accounts that are compromised don’t have multifactor authentication enabled. Multifactor authentication is one of the most basic defenses against identity attacks today, and despite relentlessly advocating multifactor authentication usage for the past six years, including it in every flavor of Microsoft Azure Active Directory (Azure AD), and innovating in mechanisms from Microsoft Authenticator to FIDO, only 28 percent of users last month had any multifactor authentication session. With such low coverage, attackers increase their attack rate to get what they want. The adoption rate is a demonstration of a critical issue I will return to in this blog—in most organizations, budgets and resources are tight, security staff is overwhelmed, and shiny object syndrome pulls us in many directions, preventing the closure of issues.

Driving more multifactor authentication usage is the most important thing we can do for the ecosystem, and if you aren’t yet requiring multifactor authentication for all users, enable it. Old-fashioned, bolt-on multifactor authentication was clunky, requiring copying codes from phone to computer and getting multiple prompts. Modern multifactor authentication using apps, tokens, or the device itself is very low friction or even invisible to the users. Old-fashioned multifactor authentication had to be bought and deployed separately and at additional cost. Modern multifactor authentication is included in all SKUs, deeply integrated into Azure AD, and requires no additional management.

Our strong position is that all user sessions should be multifactor authentication protected, and we are doing all we can to get there. This is why all new tenants created since 2019 have multifactor authentication enabled by default, and why we are now turning on multifactor authentication on behalf of tenants who have not demonstrated interest in their security settings.

 

Multifactor authentication attacks

If you have enabled multifactor authentication, you can pat yourself on the back and be happy that you’ve effectively deflected the dominant identity attacks. While still far less than the 100 percent we are striving for, the 28 percent of users who are now protected with multifactor authentication include some who are targets for attackers. To get to these targets, attackers have to attack multifactor authentication itself. Examples here include:

·  SIM-jacking and other telephony vulnerability attacks (why we’re asking you to hang up on telephony multifactor authentication).
·  Multifactor authentication hammering or griefing attacks, which is why we’re asking you to move away from simple approvals.
·  Adversary-in-the-middle attacks, which trick users into doing the multifactor authentication interaction. This is why phishing-resistant authentication is critical, especially for key assets.

Note these attacks require more effort and attacker investment, and as a result are detected in the tens of thousands per month—not thousands per second. But all the attacks mentioned are on the rise, and we expect to see that continue as basic multifactor authentication coverage increases.

To defeat these attacks, it is critical not just to use multifactor authentication, but to use the right multifactor authentication. We recommend Authenticator, Windows Hello, and FIDO. For organizations with existing personal identity verification card and common access card (PIV and CAC) infrastructure, certificate-based authentication (CBA) is a good phishing-resistant (and executive order-compliant) solution. Bonus: All of these methods are considerably easier to use than passwords or telephony-based multifactor authentication.

 

Post-authentication attacks

Determined attackers are using malware to steal tokens from devices—allowing a valid user to perform valid multifactor authentication on a valid machine, but then using credential stealers to take the cookies and tokens and use them elsewhere. This method is on the rise and has been used in recent high-profile attacks. Tokens can also be stolen if incorrectly logged or if intercepted by compromised routing infrastructure, but the most common mechanism by far is malware on a machine. If a user is running as admin on a machine, then they are just one click away from token theft. Core Zero Trust principles like running effective endpoint protection, managing devices, and, critically, using least privileged access (meaning, run as a user, not an admin, on your machines) are great defenses. Pay attention to signals that indicate that token theft is occurring, and require re-authentication for critical scenarios like machine enrollment.

Another bypass attack is OAuth consent phishing. This is where someone tricks an existing user into giving an application permission to access on their behalf. Attackers send a link asking for consent (“consent phishing”) and if the user falls for the attack, then the app can access the user’s data even when the user is not present. Like other attacks in this category, they are rare but increasing. We strongly recommend inspecting what apps your users are consenting to and limiting consent to applications from verified publishers.

 

Infrastructure compromise

As you get more effective at using identity to secure your organizations and build your Zero Trust policies, advanced attackers are attacking identity infrastructure itself—predominantly taking advantage of outdated, unpatched, or otherwise insecure on-premises network vulnerabilities to steal secrets, compromise federation servers, or otherwise subvert the infrastructure we rely on. This mechanism is insidious, because the attackers often take advantage of access to hide their tracks, and once the access control plane is lost, it can be incredibly difficult to effectively evict an actor.

We are working hard to strengthen hybrid and multicloud detections and build automated protection for specific indicators that attackers are moving against identity infrastructure. Critically, because of the incredible difficulty of protecting on-premises deployments from malware, lateral movement, and emerging threats, you should reduce your dependencies on on-premises infrastructure, shifting authority to the cloud where possible. You should specifically isolate your cloud infrastructure from your on-premises environment. Finally, it is critical to partner closely with your security operations center (SOC) to make sure that privileged identity administrators and on-premises servers win special scrutiny. And because today’s sophisticated adversaries will look for any gap in your security, securing user identities also means protecting non-human identities and the infrastructure that stores and manages identities as well.

 

The rogue wave: Attack velocity and intensity

Our team assists with hundreds of significant cases every year, and one of the most critical issues we see is the difficulty of keeping up with increasing volumes and intensity of attacks. Whether it is assisting customers who are running Windows Server 2008 Domain Controllers or the customers still struggling with multifactor authentication rollout, the rapid pace of attacker innovation is hard to meet for organizations with the tremendous budget, resources, hiring, and political pressure facing them—and that only addresses those organizations that think about security. Our consumer accounts (like those used to access Outlook.com or Xbox) are 50 times less likely to be hacked than enterprise accounts—because, for these consumer accounts, we can manage the multifactor authentication policy, risk mitigations, and other key security aspects. All these capabilities (and more) are available to organizations—but the cost of posture management proves too much for many customers.

Our team is committed not just to reducing costs associated with identity attacks, but to massively reducing the investments required to get and stay secure. This is the common thread that runs through our many investments—whether it is Conditional Access gap analysis, adapting Authenticator to address evolving multifactor authentication fatigue attacks, continuously evolving and expanding our threat detections, or our security defaults program, we are committed to protecting the users, organizations, and systems that depend on identity from unauthorized access and fraud—it is very clear that this must include helping organizations start secure (or get secure) and stay secure, to do more with less.

As you invest in identity security, we encourage you to invest in mechanisms that allow your organization to be agile—automating responses to common threats (for example, auto-blocking or requiring password change), using mechanisms like Authenticator that can evolve and adapt to new threats, shifting authority to the cloud (where detections and mitigations are agile), and being attentive to indications of risk derived from our machine learning systems.

 

Fair winds and following seas in 2023

Whether you’re an admin at a major company or launching a startup from your garage, protecting user identities is crucial. Knowing who is accessing your resources and for what purpose provides a foundation of security upon which all else rests. For that reason, it’s imperative to do everything possible to strengthen your identity posture today. The challenges are significant, but defensive strategies and technology are there to help.

If I may be so bold as to propose some New Year’s resolutions for your identity security efforts:

·  Protect all your users with multifactor authentication, always, using Authenticator, Fast Identity Online (FIDO), Windows Hello, or CBA.

·  Apply Conditional Access rules to your applications to defend against application attacks.

·  Use mobile device management and endpoint protection policies—especially prohibiting running as admin on devices—to inhibit token theft attacks.

·  Limit on-premises exposure and integrate your SOC and identity efforts to ensure you are defending your identity infrastructure.

·  Bet hard on agility with a cloud-first approach, adaptable authentication, and deep commitments to automated responses to common problems to save your critical resources for true crises.

Each of these recommendations has value in and of itself, but taken together, they represent an approach to defense-in-depth. Defense-in-depth encourages us to assume that any single control might be overcome by an attacker, so we have multiple layers of defense. In the recommendations listed in this blog, a user with perfect authentication should never be compromised, but we layer in endpoint protection, SOC monitoring, automated responses, and posture agility assuming that no one control is adequate.

To learn more about how you can protect your organization, be sure to read Joy Chik’s blog, Microsoft Entra: 5 identity priorities for 2023. If you’re interested in a comprehensive security solution that includes identity and access management, extended detection and response, and security information and event management, visit the Microsoft Entra page, along with Microsoft Defender for Identity and Microsoft Sentinel, to learn how this family of multicloud identity and security products can protect your organization.

To learn more about Microsoft Security solutions, visit Microsoft website. 

 

Source: Microsoft

Superhub
Font Size:
  • A
  • A
  • A
  • Support
  • Web Mail
EN
  • #worksmarter with Superhub
  • 202111_Barracuda_Campaign_Terms&Conditions
  • 3HK Teams Offer
  • 5 New Ways to Achieve More in the Modern Workplace
  • Biz Sol Questionnaire
  • CEC Calendar
  • CEC Calendar Detail
  • Compare Plan Form – M365
  • Consultation Form – Azure
  • D-Biz Fund Offer
  • Enquiries for D-Biz Program
  • Enquiries for Law Tech Fund Program
  • Evaluation form (Adobe 18 Feb)
  • Evaluation form (Adobe 6 May)
  • Evaluation form (AEC 15Sept)
  • Evaluation form (App365 21 Jun)
  • Evaluation form (AVD 21 Apr)
  • Evaluation form (Azure 7Dec)
  • Evaluation form (AzureMediaServices 20Oct)
  • Evaluation form (Barracuda 16Nov)
  • Evaluation form (Barracuda 21Jan2022)
  • Evaluation form (Barracuda 25May2022)
  • Evaluation form (CloudAppSecurity 19Oct)
  • Evaluation form (Covid Care Apps 26 Apr)
  • Evaluation form (D-Biz)
  • Evaluation form (DMS 22Jul)
  • Evaluation form (EMS 16Sept)
  • Evaluation form (Fortinet 17Jun)
  • Evaluation form (GalaxyOne x ESi)
  • Evaluation form (Manage+ 27May)
  • Evaluation form (Modern+ 29 Mar)
  • Evaluation form (MS x VMware 15 Feb)
  • Evaluation form (MS-SMB-2022)
  • Evaluation form (ParaDM on Azure 26Aug)
  • Evaluation form (Phone+ 12 Apr)
  • Evaluation form (PowerBI 4Nov)
  • Evaluation form (Safeti+ 17 Mar)
  • Evaluation form (Security 12Aug)
  • Evaluation form (Security 22Jun)
  • Evaluation form (Sophos 28 April)
  • Evaluation form (Sophos 2Dec)
  • Evaluation form (Superhub M365 x App365)
  • Evaluation form (Superhub SharePoint Intranet)
  • Evaluation form (Superhub x Achiever)
  • Evaluation form (Superhub x Barracuda)
  • Evaluation form (Superhub x Bigazines)
  • Evaluation form (Superhub x Fortinet x Microsoft)
  • Evaluation form (Superhub x Jabra)
  • Evaluation form (Superhub x Veeam)
  • Evaluation form (Teams 28Sept)
  • Evaluation form (Teams Voice 24Jun)
  • Evaluation form (Viva 23Feb)
  • Evaluation form (Windows365 29Sept)
  • FAQ Form – WVD Website
  • Form
  • Form – WVD Website
  • Fortinet OnDemand Form
  • Free Consultation form – BCP
  • Free Trial Form – M365
  • General Form
  • General Form
  • header-test
  • Jabra Bundle Offer
  • Jabra free demo form
  • KL-Apr20-PPT
  • KL-Apr2021-ToDo
  • KL-Aug20-Whiteboard
  • KL-Aug2021-Forms
  • KL-Dec19-Teams2
  • KL-Dec2020-Lists
  • KL-Dec2021-Teams
  • KL-Feb20-OneNote
  • KL-Feb2021-Teams
  • KL-Jan20-Outlook
  • KL-Jan2021-Polls
  • KL-Jul19-OneDrive
  • KL-Jul19-OneNote
  • KL-Jul19-PowerPoint
  • KL-Jul20-Excel
  • KL-Jul2021-Outlook
  • KL-Jun20-Excel
  • KL-Jun2021-Teams
  • KL-Mar20-Teams
  • KL-Mar2021-Approvals
  • KL-May20-Excel
  • KL-May2021-Outlook
  • KL-Nov19-Planner
  • KL-Nov2020-planner
  • KL-Nov2021-VivaInsights
  • KL-Oct19-OneDrive
  • KL-Oct2020-Excel
  • KL-Oct2021-Whiteboard
  • KL-Sept19-Teams
  • KL-Sept2020-Teams
  • KL-Sept2021-Edge
  • Knowledge Library
  • Knowledge Library – Outlook
  • Knowledge Library (Lite Version)
  • Knowledge Library Detail
  • Leaflet Form – WVD Website
  • Legal
  • M365 Brochure-website
  • Market Leader in Cloud Solutions
  • Microsoft SharePoint Demo Form
  • Monthly Tips
  • Monthly Tips Detail
  • Our Clients
  • Our Clients Detail
  • Our Updates / Our News
  • Our Updates / Our News Detail
  • Overview
  • Partner Overview
  • Partner seminar evaluation form
  • Partner Sign Up Form
  • Partnership Models
  • Product – Adobe Document Cloud – Adobe Acrobat
  • Product – Adobe Document Cloud – Adobe Acrobat Sign
  • Product – App365+ – Benefits
  • Product – App365+ – Features
  • Product – App365+ – Overview
  • Product – Azure AAD / AADC
  • Product – Azure ASR / DR
  • Product – Azure File server / Back Up
  • Product – Azure Virtual Desktop – Overview
  • Product – Business Applications – Teams Advanced Solutions
  • Product – CloudBackup 365 – Overview
  • Product – CloudBackup365 – Features
  • Product – CloudBackup365 – Why?
  • Product – Domain and Web – Domain Name
  • Product – Dynamics 365 – Dymanics 365 Business Central Essentials
  • Product – Dynamics 365 – Overview
  • Product – Email Archiving – Key Features
  • Product – Email Archiving – Overview
  • Product – Email Signature – Example Signature
  • Product – Email Signature – Overview
  • Product – Enterprise Mobility – Compare Plans
  • Product – Enterprise Mobility – Features
  • Product – Enterprise Mobility – Overview
  • Product – Exchange Online – Compare Plans
  • Product – Exchange Online – Overview
  • Product – Exchange Online – Superhub “+”
  • Product – Hosted Exchange – Compare Plans
  • Product – Hosted Exchange – Features
  • Product – Hosted Exchange – Overview
  • Product – Hosted Exchange – Why?
  • Product – HR365 – Benefits
  • Product – HR365 – Features
  • Product – HR365 – Overview
  • Product – Microsoft 365+ – Compare Plans (201912)
  • Product – Microsoft 365+ – Future Reference
  • Product – Microsoft 365+ – Learn More
  • Product – Microsoft 365+ – Mini Page – Compare Plans
  • Product – Microsoft 365+ – Overview
  • Product – Microsoft 365+ – Overview (201912)
  • Product – Microsoft 365+ – Product Page
  • Product – Microsoft 365+ – Product Page – Old Draft
  • Product – Microsoft 365+ – Product Page-Old
  • Product – Microsoft 365+ – Superhub “+”
  • Product – Microsoft 365+ – Superhub “+” (201912)
  • Product – Microsoft 365+ – What does M365 do? (201912)
  • Product – Office 365 Backup – Features
  • Product – Office 365 Backup – Overview
  • Product – Office 365 Backup – Why?
  • Product – Office 365+ – Compare Plans
  • Product – Office 365+ – Compare Plans
  • Product – Office 365+ – Migration
  • Product – Office 365+ – Office Suite
  • Product – Office 365+ – Overview
  • Product – Office 365+ – Superhub “+”
  • Product – Office 365+ Training – Compare Plans
  • Product – Office 365+ Training – Overview
  • Product – Office 365+ Training – Why training with Superhub?
  • Product – ParaDM SmartShare
  • Product – Professional & Managed Service – Modern Workplace
  • Product – SharePoint – Overview
  • Product – Superhub Azure + – Managed Azure Service
  • Product – Superhub Azure + – Overview
  • Product – Superhub Azure + – Overview (Old)
  • Product – Superhub Azure + – Overview Old Version
  • Product – Superhub Azure + – Sample Solutions
  • Product – Superhub Azure + Web Hosting – Features
  • Product – Superhub Azure + Web Hosting – Overview
  • Product – Superhub Azure +- Features
  • Product – Superhub Azure Web Hosting – Why
  • Product – Superhub Azure+ – Benefit
  • Product – Superhub Azure+ Bundle – ADFS Connect
  • Product – Superhub Azure+ Bundle – Identity Sync
  • Product – Superhub Azure+ Bundle – Why?
  • Product – Teams Voice – Features
  • Product – Teams Voice – Overview (old)
  • Product seminar evaluation form
  • Promotion Order Page
  • Resources/Blog and Trend
  • Resources/Blog and Trend Detail
  • Solutions – Managed & Adoption Services – Business Solutions
  • Solutions – Managed & Adoption Services – Cloud Infrastructure
  • Solutions – Managed & Adoption Services – Modern Workplace
  • Solutions – Managed & Adoption Services – Product Training Service – Course Outline
  • Solutions – Managed & Adoption Services – Product Training Service – Overview
  • Solutions – Managed & Adoption Services – Security – Cybersecurity Awareness
  • Solutions – Managed & Adoption Services – Security – Microsoft Security Workshops
  • Solutions – Managed & Adoption Services – Security – Overview
  • Solutions – Other Solutions – Email Signature
  • Solutions – Other Solutions – Hybrid Cloud
  • Solutions – Other Solutions – Overview
  • Solutions – Other Solutions – Talent Management
  • Super Customer Awards – Terms and Conditions
  • Superhub Cloud Adoption Survey
  • Superhub COVID-19 Survey
  • Superhub COVID-19 Survey Cover
  • Superhub D-Biz | #worksmarter
  • Superhub D-Biz Cover
  • Superhub D-Biz Survey
  • Superhub Shop Now
  • Superhub Teams Offer
  • Superhub Webinar Evaluation Form
  • Superhub x ACT Form
  • Teams Room Open Day Register
  • Technologies – Business Solutions – Apps365 – eLeave
  • Technologies – Business Solutions – Microsoft Power BI
  • Technologies – Business Solutions – Microsoft Power BI_Maintenance
  • Technologies – Business Solutions – Microsoft Power Platform – Maintenance
  • Technologies – Business Solutions – Microsoft Power Platform – Overview
  • Technologies – Cloud Infrastructure – VMware AVS_Maintenance
  • Technologies – Cloud Infrastructure – VMware Horizon_Maintenance
  • Technologies – Modern Workplace – Adobe
  • Technologies – Modern Workplace – Microsoft Teams
  • Technologies – Modern Workplace – Microsoft Teams Phone
  • Technologies – Modern Workplace – Microsoft Teams Phone (Updating)
  • Technologies – Modern Workplace – Windows365
  • Technologies – Modern Workplace – Windows365_maintenance
  • Technologies – Security – Barracuda
  • Technologies – Security – Fortinet
  • Technologies – Security – Fortinet_Maintenance
  • Technologies – Security – Sophos_Maintenance
  • Terms
  • About Us
  • About Us (Backup)
  • Benefits
  • Culture and Values
  • Our Leadership
  • Privacy Policy
  • Terms of Service
  • Super Customer Award
  • Why Superhub
  • Why Superhub (backup)
  • Contact Sales
  • Contact Support
  • Login
  • Products
  • Guide Documents
  • Service Forms
  • Contact Us
  • Frequently Asked Questions
  • How-to
  • Service Links
  • How-to-detail
  • Contact & Payment
  • Help Center
  • How-To & FAQ Articles
  • Technologies
    Technologies
    • Modern Workplace
      1. Office 365
      2. Microsoft 365
      3. Windows 365
      4. Microsoft Teams
      5. Microsoft Teams Phone
      6. Dropsuite
      7. MailVault
      8. Crossware
    • Security
      1. Microsoft Enterprise Mobility Security (EMS)
      2. Barracuda
      3. Sophos
      4. Fortinet
    • Cloud Infrastructure
      1. Microsoft Azure
      2. Azure Virtual Desktop
    • Business Solutions
      1. App365
      2. Adobe
      3. Powell Teams
      4. Microsoft SharePoint
      5. Microsoft Power Platform
      6. Microsoft Power BI
      7. Microsoft Dynamic 365
    • Exchange Email and Domain
      1. Exchange Online
      2. Hosted Exchanged
      3. Domain Name
  • Solutions
    Solutions
    • Managed and Adoption Services
      1. Modern Workplace
      2. Cloud Infrastructure
      3. Business Solutions
      4. Security
    • Other Solutions
      1. Back Up
      2. Email Security
      3. Email Signature
      4. Email Archiving
      5. Virtual Desktop
      6. Talent Management
      7. Hybrid Cloud
    •  
      1. Virtual Desktop
      2. Talent Management
      3. Hybrid Cloud
  • Success Stories
  • Why superhub
  • Insights
    Insights
    • Our News
    • Our Events
    • Our Blogs
  • About Us
Shop Now

 

 

Let’s #worksmarter with superhub

Empowering your business by exploring new insights with
innovative products and modern cloud solutions.

Let’s Talk
  • About Us
  • Support
  • Why superhub
  • Success Stories
  • Contact Us
  • Web Mail
  • Linkedin
  • Youtube
  • Facebook
  • Technologies
    1. Modern Workplace
    2. Security
    3. Cloud Infrastruture
    4. Business Solutions
    5. Exchange Email and Domain
  • Solutions
    1. Managed and Adoption Services
    2. Other Solutions
  • Insights
    1. Our News
    2. Our Events
    3. Our Blogs

Subscribe to our eNewsletter

Microsoft Partner Microsoft Partner

© 2023 superhub, All Rights Reserved.

  • Sitemap
  • Privacy Policy
  • Terms of Service