Four things you can do to make your environment safer in less than five minutes

As the new year approaches, we often make resolutions in our personal life – things we can do to make our lives better. Maybe it’s exercise, maybe it’s dry January or maybe you’re going to try to read a book a month. This year, I recommend that you make a resolution to improve the security where you work. The five items on this list will help you improve the security of your environment in less than five minutes each.

1. Review privileged groups

Studies have shown that most companies have far too many users in privileged groups. Over time, users may get assigned to admin roles and amass more and more admin privileges over time. If these admin accounts get compromised, they can cause extensive damage to the environment. It's a good idea to check how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that have not been removed after being assigned to do an administrative task.

With Azure AD Access Reviews, you can manage users assigned to groups, enterprise applications and privileged roles to make sure users don't retain access for extended periods of time when they no longer need it. You can create an Access Review in less than five minutes. Just choose which role you want to be reviewed (Global Admin, Security Admin, etc.), select who will be doing the review of members and a start date and an email will be sent to the reviewer to approve or deny access.

Access reviews can also be used with external users, Microsoft 365 groups as well as Azure resource roles. 

2. Turn on MFA for everyone

MFA is still the number one action you can take to prevent 98% of attacks on your accounts. In a recent article entitled Is MFA the Vegetable of Cybersecurity, I talked about how MFA adds another layer of protection to prevent threat actors from accessing your internal networks.

Now, we’ve made it even easier to adopt MFA using the new Zero Trust security model guidance that walks you through the steps to enable adaptive MFA with Conditional Access. You can simply click a check box and turn on policies that include “Require MFA for admins”, “Require MFA for external and guest users”, and “Require MFA for internal users”.

3. Turn on cloud protection

I’ve been surprised to see that many companies aren’t taking advantage of the cloud-protection feature in Defender antivirus. 96% of malware is seen once and never again so static virus definitions aren’t enough. We need machine learning. With the click of a check box, you enable our cloud protection which offers near-instant, automated protection against new and emerging threats. As a cloud service, it uses distributed resources and machine learning to deliver protection to all your endpoints at a rate far faster than traditional security intelligence updates – what we call “block at first sight”.

Within milliseconds of a client encountering a new file, multiple metadata-based machine learning models in the cloud started blocking these threats. Seconds later, our sample-based and detonation-based machine learning models go to work to verify the malicious classification. Within minutes, detonation-based models chime in and add additional confirmation.

Defender AV’s layered approach to security, which uses behavior-based detection algorithms, generics, and heuristics, as well as machine learning models in both the client and the cloud, provides real-time protection against new threats and outbreaks.

4. Enable user and domain impersonation protection

User and domain impersonation techniques have helped enable the rise of business email compromise (BEC) attacks. BEC attacks continue to proliferate showing up in 177 countries and causing losses of $26 billion since 2016. Both user and domain impersonation are forms of phishing where an attacker impersonates a sender address, display name or domain name to resemble a contact the user is familiar with to fool users into trusting them. For example, an address seems to be legitimate at first glance, but when you look more closely you see that an “m” is actually two “n”s, or a lowercase “L” is actually a capital “I”.  Attackers count on the recipient’s previous relationship with the sender to gain their trust for a more authentic attack. This can cause the recipient to reveal confidential information, click on malicious links or even wire money to the sender.

You can easily enable Microsoft Defender for Office 365’s impersonation protection features in the anti-phishing policy. User impersonation protection can protect up to 350 internal users per policy in your organizations, as well as external users such as board members. When Microsoft detects an email with a sender that is impersonating a user, it will take whatever action you configure in the policy. The action could be to quarantine or delete the message or to redirect it to an admin mailbox.

Domain impersonation is also configured in the protection settings of an anti-phishing policy. You can specify a maximum of 50 custom domains in each anti-phishing policy. Each message is checked for impersonation if the message is sent to a recipient that the is in the policy and the appropriate action is applied.

Protect yourself from consent phishing

 

Application consent (sometimes called OAuth consent) is the process of a user granting authorization to an application to access protected resources on their behalf. It allows users to authenticate third-party apps to use their existing accounts. Think of when you want to play a game on Facebook or maybe download some kind of add-in for Outlook. Often, you’ll be prompted with something that looks like this -

This may not be a big deal when you’re playing Farmville with your personal account but when a corporate user checks that check box to “Consent on behalf of your organization”, that user could literally be giving that application permissions to your entire organization. In fact, this particular method was used during the SolarWinds/Solorigate campaign so we’ve known about it for some time. Yet many people still haven’t put protections in place to prevent it.

One of the biggest issues with this type of attack is that normal remediation steps, like resetting passwords or requiring MFA, are not effective since these are third-party applications and are external to the organization. These attacks leverage an interaction model that presumes the entity that is calling the information is automation and not a human. We’ve also seen an increase in “consent phishing” where attackers use social engineering techniques to fool a user into granting consent. 

But there are a few ways to restrict user consent to help reduce your surface area and mitigate this risk.

Turn off user application consent

You can quickly stop users from being able to give permissions to applications or just limit which apps they can consent to like applications that have been published by a verified publisher.

1. Sign in to the Azure portal as a Global Administrator.
2. Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
3. Under User consent for applications, select “Do not allow user consent”.

Create an app consent workflow

As you can see above, once we stop allowing users to grant consent it could mean more work for the admins. And y’all are busy enough as it is. So let’s put a policy in place to enable users to request access to applications that require admin consent.

1. Sign-in to the Azure portal with one of the roles listed in the prerequisites.
2. Search for and select Azure Active Directory.
3. Select Enterprise applications.
4. Under Manage, select User settings. Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to.

5.  Configure the following settings:

·        Select who will serve as reviewers for admin consent requests - Reviewers can view, block, or deny admin consent requests, but only global administrators can approve admin consent requests. People designated as reviewers can view incoming requests in the My Pending tab after they have been set as reviewers. Any new reviewers won't be able to act on existing or expired admin consent requests.

·        Selected who will receive email notifications for requests - Enable or disable email notifications to the reviewers when a request is made.

·        Selected who will receive request expiration reminders - Enable or disable reminder email notifications to the reviewers when a request is about to expire.

·        Consent request expires after (days) - Specify how long requests stay valid.

After a request is made, you can allow all users to access by granting consent on behalf of all users. Or you can grant consent to a single user using PowerShell.  You can also use application assignment and Conditional Access to restrict user access to specific apps.

 

Now, this doesn’t help when it comes to applications that might already have been given access to your environment but I’ll talk about that in another post.