Microsoft Azure AD is a leader in cloud access and identity management, providing federated single sign-on for remote workers into today’s business critical SaaS and enterprise applications. Azure AD is also the built-in solution for managing identities in Office 365, which is why it has such a broad market penetration.
When the pandemic compelled workforces around the world to shift to remote work, the adoption of Azure AD exploded, reaching 425 million active users by the end of 2020. Just as businesses moved to adopt Azure AD for simplified sign-on and secure access to cloud applications and the entire Office 365 ecosystem, attackers also realized the value Azure AD provided to organizations and focused their efforts there.
What makes Azure AD valuable?
Compromising a single Azure AD account gives an attacker access to a large trove of data across multiple SaaS applications, including Microsoft Office 365. This single point attack has made it critical for organizations to be able to detect and respond to attacks from Azure AD to stop these compromises before attacks can get to other applications and do damage.
Best practices for securing these critical Azure AD accounts have been strong, modern adaptive multi-factor authentication (MFA), passwordless access, and access rules based on location. These types of preventative measure however are not enough to deter attackers and ensure data is protected. Modern attackers have too many ways to bypass preventative controls with techniques like abusing stay signed-on credentials, brute forcing credentials where MFA cannot be applied, tricking users into installing attacker-controlled OAuth applications, exploiting vulnerabilities in WS-Trust and forging their own tickets with a “Golden SAML” attack.
“Golden SAML” attacks and the ability for attacker to evade preventative measures was center stage in the SolarWinds breach, also known as Sunburst or Solorigate. The attackers were able to forge their own tickets, evading MFA, and allowing them to create persistence in the Azure AD environment and gain access to valuable SaaS applications.
The huge impact that attackers can have when they bypass preventative measures like in the case of SolarWinds attack are why Vectra created Cognito Detect for O365 and Azure AD.
Detecting attacker behavior with AI
Using artificial intelligence to analyze how accounts are being used, Detect for Office 365 provides deep behavioral-based attack detection, finds attack behaviors in Azure AD, and allows organizations to detect and stop account takeovers before an attacker can access any SaaS applications.
Vectra’s behavioral-based approach was able to alert on all the techniques leveraged in the SolarWinds attack without the need of signatures or updates to existing models. Behavioral alerting on instances like the creation of redundant access channels and the abuse of privileged Azure operations allows Vectra to alert on the attackers’ actions every step of the way.
Vectra provides deep behavioral coverage of SolarWinds, future supply chain attacks, and SaaS applications with over ten unique Azure AD detections and over 20 Office 365-specific detection models. Events are never viewed in isolation; instead, they are contextually correlated to ensure efficient and effective prioritization of attacker actions.
The move to zero-trust frameworks for access will only heighten the importance of Azure AD and the need to have visibility into Azure AD for effective detection and response.
To learn more about how Vectra detects and stops attacks similar to SolarWinds, read our research on the attack or attend our webinar Dissecting SolarFlare and How to Detect Future Supply Chain Compromises on February 18, 2021.
John Mancini leads the product management of machine learning-based threat detection algorithms at Vectra. He is a product-driven technologist with extensive experience research, development and design of software backed by machine learning and AI. Previously, John held the position of lead data scientist and received a patent for an improved method, system, and computer program product for identifying malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.