31.10.2019

Office 365, Azure Active Directory and the Incident Response

Microsoft is the de facto leader when it comes to the enterprise infrastructure. Recently, we have seen an increasing number of companies shifting from on premises to cloud based solutions, entrusting Microsoft’s with their data but also the burden to manage their infrastructure. With Azure and Office 365, less assets are needed on premises, so the time and cost needed to administrate them is also reduced. Active Directory, Exchange, day-to-day applications (OneDrive, Skype for Business, Office …) are all manageable in the cloud with just a few clicks and the integration with Microsoft’s single-sign-on solution make them work seamlessly.

The promises are attractive, but how do you protect access to your business data? And what happens if an account is compromised, can you really assess the extent of a breach? 

This “all-connected in the cloud” approach might well have increased the risk surface for your data: a compromised mailbox is an open door to OneDrive, and so on. To limit these risks and increase your security posture as well as your incident response capacity, some careful thinking should be done well in advance and an adequate configuration must be applied.

In the light of latest issues encountered during our investigations, we have compiled below some lessons learned from various incidents.

Did you check your authentication flow ?


The first security measures should be focused on the authentication. With your infrastructure in the cloud, you rely on the component Azure Active Directory. There are many hardening options that you can combine, and even fine tune per application:

  • Using Azure or ADFS Multi Factor Authentication (MFA)
  • Implementing a policy that restricts from which devices a user can log in.

One of the lesson learned was about device enrollment. Depending on your license, the chosen policy might act as a simple trust when enrolling a new device: if the first login is rejected, a new device is still registered and the next attempt authorized.

Hence, if your authentication strategy is based on device restriction, do take a look at “Conditional Access Policy”, and “Microsoft Intune” for device management. And in any case, please test that your device enrollment and authentication works as expected!
 

Did you check your Exchange exposure ?

Let’s imagine the above recommendations were applied and tested. The second lesson learned is related to email protocols: SMTP, POP3 and IMAP. Indeed, even if you have MFA and/or Conditional Access policies configured in Azure Active Directory, those protocols might not use multi-factors, hence are likely subject to some brute-force attacks.

It is therefore recommended to implement Access Control List (ACL) on them, or even disable those you do not use.
 

Be prepared for Incident Response

The last point affects the incident response capacity. When a breach occurs, one of the incident handlers’ most important tasks will be to find its root cause and determine its extent. They will base their investigations on the logs you will be able to provide. Contrary to some beliefs, incident handlers are not wizards, and with the default configuration of Azure AD and Office 365, they will quickly run into some limitations:

  • The logs retention vary from 2 to 90 days by default
  • The maximum amount of events per export is insufficient
  • And all the essential logs that can reveal attackers activity are not enabled by default.

The first advice is then to review carefully your logging capability of Azure AD, Exchange and SharePoint. To allow forensic investigations, you should audit at least:

  • login success and failure on each application
  • account changes (password, permissions …)
  • mailbox activity (rules, mail creation and deletion …)
  • file access, upload and download
     

Conclusion

Moving your infrastructure to the cloud brings many benefits, but changes the security paradigms we are all accustomed too. It is worthwhile to take a close look at your security configuration and logging capabilities.

Keep in mind that with your data in the cloud, a successful phishing campaign can lead an attacker to much more than “just” access to your company’s emails, but to all the access and privileges of the victims, without having to bypass all your on-premises security.

References

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis

https://docs.microsoft.com/en-us/intune/what-is-device-management

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/enable-or-disable-pop3-or-imap4-access

https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis