Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good morning everyone welcome to attacking and defending the Microsoft cloud office 365 and Azure Active Directory in South Pacific with Sean Metcalfe and Mark porzinski before we begin we have a few brief announcements for you please stop by the business hall located in the Mandalay Bay Oceanside and shoreline ballrooms on level 2 during the day and for the Welcome Reception at 5:30 tonight the blackhat arsenals in the business hall on level 2 and please join us for the pony Awards which correction to prior announcements are in lagoon JKL at 6:30 today lunch will be served in Bayside a B immediately after this session until 1:30 and don't forget the merchandise store on level 2 and session recordings from a source of knowledge they have a desk on every level now please ensure that your phones have been placed on vibrate or silent to avoid interrupting the presentation and welcome Shawn Metcalf and Marc Mezvinsky [Applause] hello and welcome blackhat I'm Shawn that cat I'm the founder of Trimark security company we help organizations better secure their Microsoft platform both on Prem and in the cloud I'm a Microsoft Certified Master in Active Directory Microsoft MVP yes and I'm back at blackhat so I'm very happy to be here I've spoken a number of conferences and I'm very happy to be back I'm also a security consultant and researcher and I post some interesting security stuff on 80 security org the slides will be posted there after this talk and I'm mark Ward's insky I'm a principal program manager in the identity division at Microsoft we're responsible for Active Directory Active Directory Federation services and Azure Active Directory and I work on the customer experience team I work with customers on their deployments of adjectives directory we provide guidance but also take some of the learnings and the feedback from those deployments and work it back into the product to make it easier for everybody else to the Play so this talk started based on a Twitter conversation last year at blackhat Sean did a really good session around moving from a workstation to domain admin I thought oh wow that'd be really good we should do something like that for Azure Active Directory and Sean said yeah let's do that let's do it so we submitted our talk it got accepted which was great I've never been the black hat before this is my first time this has been excellent so this is what we're going to talk about today first we're gonna give you a sample customer about how customers have moved to the cloud Shawn's going to cover some attacker recon as well as some attacking the cloud I'm gonna cover defending the cloud and then the last part is gonna be a bunch of go dudes I'll be the time to get out your camera take a picture send it back to the mothership making sure that we're doing best practices and following the proper guidance so let's go ahead and meet that customer the customer is Acme they are the largest manufacturer and distributor of anvils in the world they are headquartered right here in Las Vegas Nevada they have 500,000 employees and they operated in 140 countries and they're starting to think about maybe they should move their business to the cloud they're not sure if this is the right thing for them to do or how to get started they're kind of lacking some direction but the good news is they just hired a new visionary CIO that CIO is Wiley coyote a longtime customer now employee get that sweet sweet employee discount he has surveyed the desert he has his priorities and his number one priority is we're going to the cloud okay so Acme puts together a project team this may look like some of the similar project teams that you've worked on we have our identity architect who really is excited about this project they want to fix all of the previous 10 to 15 years identity access management problems they've had because this time we're gonna do it right and then we have our collaboration architect who is kind of excited about this they're not too sure what does this mean from a job performance perspective going forward they're still gonna be employed after this projects done so they're a little kind of standoffish we have the identity engineering team who is actually going to go push all the buttons on this stuff and they don't want to really get started on anything until we have all these use cases sorted out entirely okay then we have our collaboration engineering team and they're pretty much looking for any reason to not do anything does anyone work with anyone like that or is that just shot at I just check in and then we have our security engineering team the answer is absolutely not not quite sure what the question is and then lastly we have a key component which is our desktop engineering team who is not present in any of these meetings okay I love the desktop stuff come on come on all right but they're never there okay so acme get started they decide office 365 what they're gonna do they move their first workload it's going to be email and they're going to deploy as your MFA because they want to increase your security posture which is great they do their pilot group which is usually IT they sync them over and now they're starting to look at all the different use cases they have in their environment they're different employees and this is where Acme starts to get in a little bit of trouble they start getting some analysis paralysis right and right now the scenario they're trying to work out is a user was registered for as your MFA they lost their phone they got a new phone they immediately got on a plane and while they were on that plane they were registering for a MFA the Wi-Fi on the plane went down how in the world is this person going to access their email on the plane so while Acme is working through this hypothetical situation that may never happen it's probably never gonna happen something is much more sinister a foot and that sinister thing is Shawn this is kind of cool I get to play the attacker while acne is going through this process and figuring out what they're gonna do in the cloud and how they're gonna configure everything and they've already moved some people in there they really haven't looked at the security of it yet so what's happening meanwhile there's an attacker that is looking at this environment let's see what we can find one of the first things that I usually look at is DNS because it's easy to look at no one knows that I'm looking at it in fact I scan the Fortune 1000 companies to see what MX records they have to see what their mail exchangers are this gives you a good idea as an attacker to figure out what sort of security posture their emails is what they have and so we can see that organizations will have proof point or office 365 or Cisco or a number of other type systems so if I as the attacker I'm designing an email campaign I'm going to figure out what they have so that way I can test it against something similar so I can have a better idea of what might work and what might not but often more interesting are the text records that are in DNS these can be pretty much whatever you want them to be and a lot of time organizations need to set a main verification or site verification record this is usually because they want to go with a third-party app or SAS app and they have to prove that they own this domain and in doing so they have this record in DNS which again is visible to everyone so this means that through a DNS query I can get some really good information about what kind of enterprise apps that an organization they have so where's that meow well we see they just went to office 365 so if I'm an attacker and I'm very intent on stealing the secret envel manufacturing process that acne has I can look to see what they have in their environment just by doing some DNS queries possibly these don't need to persist very often these can be removed soon after they've been verified and then just clean them up out of DNS so we know they have it last year and they are cisco Citrix Dropbox and WebEx why is this interesting because if I'm an attacker and I want to put together a phishing campaign what I want to do is target it to something that they may feel relevant so I may send an email to all Acme or all the email addresses I have it acne at 7 a.m. on a Monday morning say there has been a web act security issue you need to update your WebEx or you will not be able to connect to your meetings today it could be pretty successful or since I said alas en Avinash realized recently that JIRA had a potential Mis configuration for a large number of companies that could leak some information about their internal environment so I could look at to see if acne has JIRA because they have an Alaskan Tex record here and see what else I could find through that the other thing that's pretty interesting is the Federation configuration so I want to see if acne has some sort of Federation do they have a DFS on site what are they doing with that how are they handling their authentication flow and there's no real good naming standard for Federation so I can try FS SSO STS etc and at Def Con a couple years ago I talked about if you could pull this token signing certificate off of the Federation server then you could use that potentially to spoof and create your own forged sam'l tokens to then get access to all of those federated apps so think work day think Salesforce think other big-name company that sensitive data could be in and a few months after that cyber-ark had a post about what they they called the golden sam'l attack and they released a tool they could actually do this once you have a token signing cert you can create these forged sam'l tokens and then access these federated resources as if you're that person and early this year at troopers Doug and release this tool called ATF spoof so Doug Bienstock from and Ian had done a talk there with Adam and they talked about how you could extract this data this certificate data from a DFS and then also right after you get that generate that sam'l token and get access to that application in that talk that they had called ima DFS and so can you Doug in Austin talked about a TFS adapters which is not all that well-known but a TFS has these adapters where you typically have the authentication flow where the user authenticates the ad and then they connect to a DFS which then will give them that token but an adapter says wait there's one more step that we have to do so for example you can have duo MFA that needs to happen next and when you have something like that you're going to have a DLL and they talked about cracking open this DLL and looking at the code inside of it and modifying this code so that way instead of just doing the MFA part if you submit it during that log on page beep-beep I'm a jeep it could run PowerShell or potentially something far more malicious this is some amazing persistence once someone gets on that ad FS server so it's critical to understand that once you have a Federation server you need to protect it like it's anime and controller like it's a tier 0 system protect those certificates and make sure you're pulling the logs out of your Federation system into your sim along with AD as well as your as your ad logs then you can correlate those to figure out what's going on what's interesting to me is that there are a number of different applications or cloud apps that often require some sort of synchronization from your on-prem ad and all that you really need is a user account in order to send that it gather that information and send it up to that cloud environment obviously if you have office 365 you're probably going to have as your ad can but IT doesn't necessarily know what else is in place because again all you need is a regular user account so I did some googling the figure oh sorry mark I use Bing - then I yeah I use Bing - then Google Active Directory sync tool and I found a number of synchronization engines that you could install and I put some of the more well-known ones here so if you're using these services it might be possible that you have a bunch of different systems that are sending user data up to that cloud environment and potentially group data so you want to be aware of that so let's focus on a non-prime environment again at Def Con a couple years ago I talked about attacking azure ad connect and the fact that 80 AD your ad connect using the Express install we configure itself to do password hashing which generally we think is a good idea but you have to understand the implications of what that means and what those rights are that are required for it an ID ridi Connect is not the only system that would send password hashes in this case hash of the hash but there are other systems that may send the password hash from AV directly to the cloud system so you want to be aware of those but let's take a look at what we can do to attack and Azure ad Connect system that has used the Express install it's going to have these rights configured it's going to create automatically an EM sol account it's going to put all this information in the description field which is great for me because then I know what its installed on then with this I can either check to see if there's additional rights that are configured for this account or I even better if there's not that information I can use power views invoke ACL scanner to see it what rights are actually configured at the domain root that provide or what accounts have des replication get changes das replication get changes all which are needed for a DC sync for many cats for an attack but ultimately as your ad can act would need that so here we see a yes or it's our MSO account so we're going to look at our addressing computer figure out where it is an ad it's in the root servers oh you so our next step is to figure out how can we get admin access to that server in that location so we use Power View again find GPO computer admin against that oh you and we can identify that there's a server admins group in Active Directory in the root group so you that is added to the local administrators group for that oh you which means that if I can compromise an account that's in this group I can control and administer that Adger 80 connect server along with other servers which could be interesting but there's also a second GPO they're called server config and server config I'm not too concerned about what settings it has I'm really interested in the delegation there's three different server tier groups that are configured to with modify rights of this GPL it's a little odd but we see that a lot when we do security assessments at Trimark and again all I need to do is compromise one account that's in one of these groups to be able to modify this GPO that then applies to that servers are you so I can add a member to administrators I can run code I can pretty much do whatever I want at that point so this is a slide that kind of summarizes what I just talked about the key takeaway here is that you want to treat your add ready connect server as if it's a domain controller especially if it's doing that password hash thing and any other system that is doing something similar you want to protect it very closely because compromise of a regular server admin account which may not look that important could ultimately prove disastrous and compromise your on-prem ad environment so we're pretty well understood about how the on-prem ad works are for recon of that ad environment you have an ad account you can look at users you can enumerate group membership typically everything as long as you can connect to a domain controller in that domain as your ad is a little bit different it's the same you need a Adger ad user account but now you don't need to be on prep you just need to be able to connect to an office 365 service which usually means the entire internet also very interesting is we can also ideally identify email addresses for that tenant or within a sure ad without having an account in the first place so office 365 creeper or o365 creeper is a tool that's very interesting because you give it a list of email addresses and it will attempt to authenticate the office365 authentication page and based on the result code will say this is valid or this is not valid so simply by doing this we can identify what email accounts are valid logins for that a charade the environment and then the last three that are here enable us to do some user and group enumeration once we have a valid user name and password for that environment because of course once we have a user list we'll do something called password sprang I think most people here know what that is so I'll cover it very briefly we have a list of passwords that we know people tend to use we're gonna try those against our user list and then we're going to sleep for a little while and then we're gonna try another one and this avoids lockout because we're trying one password against all the users and then we wait before we try the next one but Shawn we use symbols in our passwords yeah I got you covered everyone knows this so then we just continue on and we continue iterating through this until we get username and passwords for that environment here are a bunch of tools that are available that will do pastors praying against office 365 this works because of legacy authentication legacy means all of the old stuff that is still in use on the Internet so pop IMAP SMTP if people are using pop clients like Thunderbird or if they're using apps on their phone they're using legacy authentication but legacy authentication these old protocols don't support MFA so even if you've enforced MFA on these accounts I can still use legacy authentication to pass or spray these accounts and authenticate as them so let's use mail sniper and do some password spraying against this acne environment that's in the cloud but they put a bunch of people in there but really didn't do a whole lot of security around it they forgot to disable or decided not to disable legacy off just because and we are able to find passwords for a bunch of users okay let's put that to the side for right now and let's focus on how we can detect this well unfortunately by default in order to look at these as rating sign-in logs we need to have an azure ad premium subscription which i think is not a great solution so Microsoft is actually going to be changing this soon you'll be able to have access to the azure ad sign-in logs without requiring the subscriptions the subscription will control what your retention period is for those logs but be pulling those logs into a cemani way so if we look at these logs we can see that there obviously is a password spray attack occurring it's coming from a single IP address attemping authentication of a bunch of different users in a row and so we see that there's a specific user bobba fett whose account is fail fail fail and then success probably a password sprite okay so that's nice to look at visually but what if they're doing some other interesting thing around that we need to dig into the details a bit more well we can look at the sign-in error code 501 to 6 and the client app as all other clients older office clients this means legacy authentication so we can build a password sprang rule around this now keep in mind what I just did was i password sprayed office 365 as your ad so that means if the organization is federated these logs are not going to be there they're going to be on there Federation system so if you have a DFS those logs are going to be there so that's where you have to look to figure out what the passer spraying is if it's occurring and mark has some in more information about that when he covers defense shortly so a year ago I talked about attacking ad administration on how to fix it so let's talk a little bit about our cloud administration and the potential problems with how it's being done today Active Directory well known how to administer we have an MMC but now we shift over to this Azure ad world where we have to use a web portal or PowerShell it's very different it means we're using a web browser now and not the NCC client MMC client we have a bunch of global admins for some reason Acme is added a bunch of people to global admins which isn't the best idea but a lot of times organizations when they're going into the cloud they just put everyone in global admins but global admins in Azure ad pretty much has as much if not more rights than what Enterprise admins domain admins administrators schema admins etc has an ad it controls the subscription so it's very powerful so you really want to pull people out of that if possible because you don't want a situation where like acne there's people that shouldn't be there and have bad passwords so the password spray that I just did I found that there's two passwords associated with these user accounts and their global admin so now I own this environment probably but let's say if this didn't work let's say that you they use pretty good passwords maybe like that would happen and so I go ahead and do a fish well bleeping computer a couple weeks ago had a really interesting article about fishing against officer 65 and what I find really fascinating about this fish is that it says your office 365 licenses expired update your payment now or you'll be cut off no one will have email anymore call to action very likely and admins gonna click on this so I'm very happy to be able to state as a person that doesn't work at Microsoft that Microsoft has a private preview going on for a roll called global reader I'm really excited about this because this provides read access to all of the office 365 services and their configuration information with no admin or modify rights this has been sorely lacking in office 465 for too long and now it's there or at least it will be soon talk to Microsoft your tan so what this means is you can get these people out of global admin because they just need to look at config info you can pull these service counts out that may be running PowerShell scripts are doing reporting and add them into global ad I saw a global reader it's still being expanded to cover all the office 365 services to support read only only read only only yeah sounds good there is an article here at the bottom that I link it's included in the slides it has more information about global reader and why it's going to be more helpful than just security reader the security reader doesn't give you read only configuration information for a number of the services so let's look at this cloud administration thing and how we can go after that well we have our workstation well we've talked about that before compromised and admin in a group that has admin rights on a workstation compromised the agent compromised the management system compromised the traffic HTTP hopefully HTTPS traffic to the cloud website we influence that traffic through DNS if we can get control of DNS maybe for some reason there's a 300 people indecent DNS admins and we can modify the DNS record and point them to somewhere else maybe we could get our admin to connect to our system instead of the microsoft system or the AWS system and then there's the web browser so in cloud administration the web-browser in what stores that token the proof of identity to the cloud environment and so what's interesting is Google Chrome is one of the most popular browsers in the enterprise because they provide group policy management so as an attacker if I can find a way to modify that group policy that controls Google Chrome and force install an extension that is well safe malicious that enables me to potentially split out that session where I can do something while the admin is still logged in to that in that environment or even extract that token and reuse it somewhere else that could be pretty interesting and certainly if I'm going to do something like that I wouldn't put a very obvious icon on the browser I could just hide it the other thing that's popular in enterprises is the SSL TLS decryption of Isis has been pretty standard recommendation since every website is encrypted now well what they do is they break the authentication they break that web traffic that SSL session TLS session from the web browser to the decryption device open it up look at all that traffic and then create a new one to the actual cloud website and then breaks the response back in order to send that back and forth that means that if this site is not whitelisted so that the decryption device doesn't open it the token could be stolen if the attacker is able to actually compromise that device the attacker could also change that whitelisting rule so you want to protect your decryption devices and that system to make sure that someone doesn't have access to it otherwise they could impersonate your director of HR they can impersonate your cloud admin and then it gets interesting because if somebody could fish the admin they could get them to go to the attackers evil proxy something like evil Gen X or something along those lines or if I can influence them to go to a different site and make it look like it's actually the Microsoft site or some other site I can proxy that authentication through my evil proxy and even if MFA is enabled I just show the user the MFA prompt the other thing that's interesting is another common attack is the password reuse replay we're usually search on Twitter or it's like hey there might be some stolen passwords then like a week later this shows up password um with something like a sha-1 or clear text passwords we control this looking for the email addresses for the users in Acme and see what we can find and if we find a password for a user attacked me we can try that against the acne environment very likely it's going to work we can also look at the other passwords at then that's in that dump try those as part of our pasture spraying or in a situation where someone has a unique name that we noticed in acne we saw in the password breach even if it's a different email address it might have the same password so one of the ways to detect this have I been poned domain notification or the password hash sync for the marks going to talk about in a bit is going to provide this users with leaked credential report where you can look to see where these breaches have users with your email address in it and the last thing I want to talk about as far as this attack goes is illicit a consent grant attack where attackers are fishing users so that they can click and approve an app to have full control of their actual account their email in their files and it's not a true valid and then the second big one I'll mention it a little bit which is about Enterprise app permissions there's a couple toolkits have been released around this first one from fire I and MD set an MD SEC was nice enough to have this really nice write-up with graphic some user graphics and on the left side there's an architecture of how this works and how its configured but really what I care about is what's on the right this is what the user sees when they get the fish and if they're not paying attention they click accept then this app has full control of their account their email the files everything and it's persistent and the user is likely not going to go back and look at this this is not a Microsoft Office 365 thing this is a cloud allah thing so Trend Micro wrote a really interesting article about pawn storm where the attacker was spoofed ours was fishing Gmail users targeted and saying install Google defender that sounds like a thing sure yeah I want defender to protect my my gmail and my files and of course by clicking on this allow this attacker group was able to access the files and the email from anywhere through this malicious app and then the last one I want to talk about is enterprise app permissions so let's say that I was able to compromise and get a global admin account attacked me I have that account I want to use it for a short amount of time that I want to disappear while they're figuring out all their security stuff well I can create a malicious app then I'm going to call something very similar to what many organizations especially big ones will probably have but I made it out and this is a great persistence method because as long as I've created it I have an account in the environment that has owner rights to it I have some control of this app and all of the permissions that are associated with it once you're approved they persist in that environment this is why it's important for mobile admins or admins in a cloud environment to really review the enterprise applications and what permissions are requesting because very much like your phone you don't want to be in a situation where they have tremendous rights that aren't reviewed or checked for security issues so let's talk to the fence all right thanks Sean for that so just to kind of recap Sean talked really about six different types attacks right from consented views from breach replay to passwords great but I thought before we get into this this would be a good time to check in and how that acne project team is feeling after listened to Sean talk for about 20-25 minutes so the feel is like everything is on fire but this is going to be fine because it taught the things that Sean talked about a hypothetical nature I have some good news for you and I have some bad news the bad news is the three most common attacks we see at Microsoft are breach replay phishing and password spray but the good news is there's lots of really good fundamental things we can do that prevent these attacks from happening altogether or make them much more difficult to do throughout and Sean kind of sprinkled around some of these things throughout his talk and the first one I want to talk about here is compromising the ad FS or as your ad connect server and the key thing here is we want to treat this like a tier zero resource it's not news to anybody in this room I'm assuming that if an attacker gets onto your domain controller they can do horrible terrible things to your environment the same is true for a JD connect or whatever Federation service you're using like ping federate or a TFS the same is true for that we want to treat these like a tier zero resource you want to protect them like we protect don't make okay so let's take a look at another one so admin account takeover the first thing that everyone should be doing to protect their admin accounts is to turn on MFA for your admin accounts you're probably thinking why are you talking about this this seems pretty basic and I agree with you you're right I shouldn't have to keep talking about it but unfortunately we do so in the September of 2017 at our Microsoft ignite conference we look to see how many global admins had mfa enabled who things like give me a percentage you guess how many global admins have meme' fed just shout out to shout it out 50 percent that's pretty close it was actually 0.7 so just like a little little off so we talked about it well like please go back and do this so ignite happen the same time next year September 2018 what do we think 2% at now another 50% you have way more faith in your fellow admins than I do we're at 21.7% right so I means 98% of admins global admins do not have MFA enabled so I asked our awesome data science team can you pull numbers for this talk specifically to have some fresh data for you and we are up to almost 8% yeah right don't clap that that's 92% they don't have it that's terrible that's terrible okay god all right stay with me okay so I don't get why we're not doing this but this is one of the best things that you can do to protect yourself so how can you go back and do this if you take one thing away from this talk do this go to your admin and click enable MFA that's all you got to do one thing it's so basic okay and the issue with this though is you have to remember to keep doing this for any people that get added to these admin roles so the better thing you can do is use conditional access or our baseline policies for admins which are in public preview this will apply imma fake to anyone that has that rule going forward on the baseline policies like I said are in public preview they are gonna change a little bit based on some feedback we've gotten from some customers already but take a look at that but the best thing you can do and Shaun kind of alluded to a little bit is use a feature we have called add ready privileged Identity Management this removes all standing admin access in order to do anything with admin rights you have to elevate yourself and do MFA and you can also build some workflows around this to say maybe to other global admins have to approve it you can do as part of a workflow if your change management that they can't elevate until like the change management window and because Tim becomes this admin Center for all of your management team will notify you when people are being added to roles outside of PIM and some of my customers have found some very interesting things in their environment this way and pin works great for a Dre B as well as office 365 but it also works for Azure resources so the people that have hyperedge accounts to VMs and things like that you can have them use pin as well and this is a p2 license requirement so like Acme they can't buy p2 licenses for five hundred thousand people to start with but you can buy p2 for your admins so Acme can buy those thirty or forty or fifty admins p2 licenses and start using it and to deploy PIM it's pretty straightforward if you go to aka.ms/offweb apply lots of azure ad features like SAS apps conditional access MFA but we have one for pin as well now forward thinking for your admins you want to start looking into Fido to Fido to is a standards-based password with authentication that's made up of two parts web off N and C tap I don't have enough time in the session to go over and vital to I believe there's a web off end session tomorrow morning if you're not familiar with this check it out but the high level is it's a public private key the private key is stored on the device you have to do some sort of like proof of president's either biometric or pin but the reason you want to do this is this is an extremely strong factor of authentication that make some of the attacks that Shawn showed you either impossible or much harder to complete and this is really exciting because you can actually go do this today and add your Active Directory so we just want public key with this a few weeks ago it works for your global admins as well as your authentication admins those are the people that control MFA you can scope this roll out to your users in groups and if you go to 8 KMS slash file to Doc's we cover more that stuff there and you can try this out go back and try this on your test everybody has a test tenant right the silence is just deafening okay we'll do it we'll do a live will do it in fraud right so try with a few counts we'll do a lot all right windows 10 19:03 for your best experience on the works with edge and Firefox version 67 and later all right the next thing Sean talked about was app consent so we're not seeing this attack too much at in Azure Active Directory but it's something too good to be taking a look at so how do I get to this in Azure Active Directory if you go to enterprise apps you click on the application you click permissions and you get to see all the permissions that the applications requiring and we can see here under admin consent and admin has consented to this application these are the permissions the application needs and we also will give you a permission level from low medium to high how like wide that permission is if you click on any of those we will tell you what that permission actually does that's when admin can send perspectives from a user can spend perspective if you click on that it will show you the same similar thing but you can see which users have consented to that application which is really pretty nice thing to look take a look at now some of my customers have like fifty a hundred I have a couple of customers that have over a thousand apps and Active Directory they can't be clicking through all this so we actually have a PowerShell script that will help you with this so this is written by Philippe he's a feature PM in Azure Active Directory team and we're trying to do a lot more work in this area to make this easier for everybody else but run this PowerShell script take a look at what the application permissions are and you want to look for things like Sean showed you earlier like anything has directory read/write all or any rewrite all that looks kind of suspicious we want to make sure we know what that is anything with like a kind of a weird name like Sean showed you like Oh Salesforce - looks probably ok and then anything that an admin has consented to we want to make sure that anyone that has consented to that we know what that application is used for and the permissions are ok so that's what we're on do about admin consent the other thing Sean talked about was breach replay right we find these clear text username passwords online and attackers we're trying to try them against different services to see if some end user has reused their credentials which I'm sure nobody has ever done but the best thing you can do for this Sean Lu - is turn on a Grady connect password hashing you get two big things with this the first thing you get is that leaked credential report so we find these clear text username passwords we take those passwords and we run them through the same hashing algorithms as the hashes that are stored in Azure Active Directory if the hashes match that means the same username and password is being used somewhere on the Internet so we will tell you about that it shows up as a leaked credential a high risk user and if you have identity protection you can actually block the user on that or put them through a password reset flow but that's the big thing you get and you want to be taking a look at this you want to reset these passwords immediately when a leak potential shows up but the second thing you get they may not be obvious is when something catastrophic happens in your environment like I wanna cry or not Pecha you're able to flip your authentication from being federated to authenticate against a Droid II directly this gives you two really big benefits the first benefit is anything in a Droid II will still continue to work so your business can still use office 365 and any fast apps you've integrated with Azure ad like Salesforce workday or whatever it is those all continue to still work but more importantly this will give you corporate resources to start recovering your environment with because if you don't have something like this it is all hands on deck all the rules go out the window and people will be using personal email addresses like hotmail Gmail Comcast net or maybe whatsapp or Facebook chat and in there without any retention policies the only way to do a discovery will probably server names IP addresses and probably realistically usernames and passwords in these other things that you have no visibility into so you want to make sure you have a way for your IT department to start recovering the environment and take a look at this wire article if you haven't read it already really good talks about what happens just a couple customers now one of the biggest things I hear against password hashing because people just really don't understand how it works they think we're like taking the hash we're reversing it to a clear text password and storing that which we're not or it's the MD for hash that's being stored in Active Directory which it's not so we cover all this here so take a look at this this usually usually answer pretty much anyone's questions around how this password hash sync works so go take a look at this for anyone it doesn't feel like they need to turn this on another thing that I shouldn't have to talk about but I have to so we only look for credentials that we find going forward meaning that we don't keep clear text username passwords that we found six months ago eight months ago a year ago something like that but these things tend to get sliced and diced and reposted so we continue to run through them as we find them but a couple customers have had this brilliant idea where they're gonna leak their own credential like oh you put it on paste spin like is that what you're looking for this stuff please do not do that I assure you the service is working like just turn it on and delete wrenches they will come rolling on in like trust me they always come rolling on it okay so you'll need to leak your own credential so I made this little chart here for anyone that's kind of on the fence about if they should do password hashing so we have a pro's we have our con there which is the security team does a want to do it and then end of list but I spend a lot of time talking about this with my customer so if you feel like you can convince me why you can't turn password hashing con I would love to hear it I've done this at several conferences no one has been able to convince me if anyone can convince me it will be the audience here at blackhat so come find me after our contact information was at the beginning and it'll be at the end of the deck email me on Twitter is fine whatever else I want understand why do you feel like you can't turn on password hashtag okay so phishing Shawn show that kind of an interesting phishing attack what can we do we can require users to do MFA and the thing we want them to do is use the Authenticator app this will give you a better performance but also you'll get less prompts because this acts as a token broker there's a few ways to turn on MFA for users the first way is you can do at a per user level and it'll get prompted regardless of what's happening or go that's what applications are going to this might be okay if you have a few apps like office 365 or something like that but as you move to the cloud you'll probably want to move to a more dynamic ability to do this with conditional access you can say if you're coming from this location or you're coming from you know this type of device you want to do MFA that way but the best thing you can do is you can do a risk-based policy so we only prompt people for MFA when we think something risky is going on but no matter how much we do people are still going to fall for phishing attacks internally at Microsoft they'll be a mail that goes out that says who would like to take home the brand new secret Xbox to try at home Shh we're only taking the first thousand people and people leap at the keyboard to give their credentials up to take this Xbox home right so people are gonna fall for this we need to be monitoring for these types of things so you need to be integrating your logs with your seen system so it's a few ways to do this the first way if you've been doing this for a little bit time you might be pulling from the graph and you have like a couple endpoints you're hitting like the sign-in logs or the auto logs which is kind of painful because you have to give the the time frame correctly but also then the credentials sometimes get stored in the script as people aren't doing things they should be doing so that's okay we want you to move to something else anyways we want you to use the azure event table which is part of as your monitor now this has some pre-built connectors so you make a connection once either with like Splunk or sumo logic there and then the event hub will push this event to your scene just straight push it's the easiest thing you can do so go take a look at this make sure you're integrating those logs into your seam solution now maybe if your seam solution is more like a Hotel California right like these events check-in but we never get anything about it you can use as your login oolitic switch has some pre-built workbooks and also as your sentinel now if you have a TFS one of the best things you can do for this issue's a 3d connect health for a TFS this gives you a few things the first thing is you'll get some alerts about common ad FS issues like your certs gonna expire there's some performance issue but there's a bunch of really good security benefits as well we will tell you which accounts are having the most invalid login attempts which may mean someone has an old password and an iPad somewhere that's just like banging away on their mailbox or maybe this might be a thing of password sprain we talked about it in terms of risky IP so we will show you those IP addresses that Sean showed you how to do a password spray which ones are attacking your environment okay and then it's about that if you have 85 2016 or 2019 make sure you turn on smart lockout this helps with this protection and we'll come back to this here in a little bit but as terms of password spray there's a few big defenses we need to do the first thing is it's time to modernize our password policy as Sean showed you people choose these strong but predictable passwords right so if we change it every 30 days August 2019 with a last special character all right oxidation point or every quarter is going to be summer 2019 this is very predictable patterns that people do so we have a white paper on this take a look at this it's written by a good PMI our team name Robin Hickok it kinda explains this in a much more deep deeper detail and it's also is aligned to the guidance from NIST 863 B so what can you do about this we have this feature called the azure ad ban password policy that doesn't let you put any of these easily guessable passwords into Azure Active Directory and we also give you a custom banned password list as well so put in here things that are specific to your environment don't put the iraq' list in here like you don't need to do that but just put in things like brands locations and common passwords you know people are using so one of my co-workers was in South America and he was talking to a customer and there Red Team did an internal password spray and they said over I think it was 60% of the passwords in their environment had one of the soccer teams in that region in the name so you probably know that you have similar things in your environment that's what should go in this custom band password list with the best feature of this I promise you the best feature of this is it works with your on-prem Active Directory as well you can deploy this for your domain controllers and how that works is there's an agent password filter on the domain controller there's a member server that's reaching out to the intern to pull down these custom lists as well as the globalist and that's what will protect you against putting these guessable passwords so in the azure ad p1 you need to be on domain controllers 2012 or later but there is no domain or forest functional level requirement and your sis fall needs to be at the FS are you should be at that anyways and you want to put this in auto mode first because you'll see how many passwords it would have blocked and that's our scoring system up there we have some fuzzy matching and substring and all that good stuff we document everything take a look at that later but we'll show you how many we don't you would have blocked and you can take that to your management say look we have 30 percent forty percent maybe even more 50 percent easily gets a little passwords our environment you need to turn this on and one of the things I've seen people do that's very successful is when they communicate this to their end users they say ok you need to put in a very complex password but after you do that you won't have to change your password for six months or nine months or maybe even a year and people are very excited to go do this and change the password ok so last part here legacy authentication and password spray almost a hundred percent of the attacks we see using password spray are using legacy authentication this is the pop3 imap4 SMTP stuff that Shan Chun talked about and how often is this happening so in August of 2018 we saw 200,000 accounts were falling to password spray attacks so I asked that same awesome data science team could you pull me some data for this talk is it still a real problem and from May it was 133,000 in June it was 212,000 and in July it was 120 mm so this is still very active attack that we need to make sure we're defending against we want to make sure our password policies are up and we want to turn off these legacy protocols which however in a second but the last thing I want to stress about this and Shawn kind of talked about it a little bit if you are federated the authentication takes place at your IDP you have to take care of this you have to look for this you have to block it the reason the invalid password attempt in Shawn's pictures and the sign-in logs it's because he's often and King in sad radio if she's federated they will be in these logs you want to make sure that we are pulling these logs in our scene system and we're taking a look at this stuff yeah so how can I block this the first thing you can block this at exchange at the mailbox level you can just turn this off if anyone's not using these protocols turn it off you can also block it from like a service on your tenant out as using authentication policy this is what Acme should be doing they're starting this project turn it off to begin with don't let people add accounts that we shouldn't be using you want to turn this off so use authentication policies for that and then we can actually block specific client IP addresses as well using the ATF us connect health logs we see the risky IPs and that kind of stuff you can actually just drop those connections in exchange to start with okay so if we are federated in a DFS we have some authorization rules and the key thing to know here is that one author authorization rules are very rich meaning that you can get very very complex with your rules however you need to be but this happens after authentication and these authorization rules will apply to the entire relying party so meaning anything behind a directive directory like office 365 or any SAS apps those will be what's applied to those rules okay and lastly we can block this in a direct the directory the first way again any users that are not using these legacy protocols today block it turn it off at the mailbox block in an azure ad you can do that using conditional access or we have a baseline policy that's in public preview but remember those are going to change a little bit based on some feedback but we want to make sure we're blocking those that are not using it today don't let it get any worse then you want to work through anyone that is using it so this is probably where you're gonna find those older clients Outlook 2010 maybe that Thunderbird client and you need to tell people look we need to move to the modern authentication protocols or you need to move to OWA but we're gonna turn those off and start with those ones those like easier ones to take care of first like the pop3 imap4 us then you can start working about service accounts so these are gonna be using SMTP or EWS we can start moving those two modern authentication protocols but you can use conditional access to say these can only authenticate from internal the internal corporate network that's better than nothing we can start with that and if you're doing apps that use EWS just be aware but that is going to be decommissioned in October 2020 and if you're doing any conditional access policies based on device make sure that your give all your matrix figured out so you're not dropping anything that's slipping through we topic cover this in this blog post question 7 specifically and with that Shawn is going to wrap it up great well thank you Mark so now what do you need to do I assemble the team get everyone together talk about what needs to get done next thankfully you don't have to go through all these slides to figure out what should really be done because we put together some checklists for you I hate it having to do it through a slide deck and trying to figure out okay what's all the stuff but I need to do from this really like Mark said MFA for cloud admin accounts especially if you're gonna be in global admin you're going to be in global admin really PEM is the way to go you can enforce MFA for global admins and and privilege rolls through the baseline policies that were in preview or conditional access policies the other thing that's really important is to make sure that you isolate your cloud admins as I talked about earlier if I can control the web browser or the computer itself then I can own that cloud environment so we want to make sure that you protect your cloud admins you get them into either a cloud admin workstation or push them into VDI or a server for that administration so at least that cloud admin account hopefully they have a separate account not your regular user account are there to be protected there's a number of things that we have in the deck that we've gone over we put together the checklist for you so you have some good information about what you can do on your own so in conclusion well really the cloud is magic I mean it can be very helpful for a business it can be very useful but obviously what is helpful and useful and where's the date where the data is that's what the attackers want to go after so ultimately we are it's magic so the cloud is a new paradigm that requires special attention and it's not inherently secure there is a responsibility for security that split between the provider and the customer so as the customer you need to have a good understanding of what the provider is responsible for and what you need to do as well so Microsoft provides office 365 with legacy authentication enabled by default although at some point that will change for new tenants so if you're going in office 365 now just turn off legacy authentication because it's not in use if you're just going there now there's things that you can do to lock they lock this down and tighten them up the security features and controls I know they change all the time it's tough to keep up with but just do a checkpoint every at least every quarter with your cloud provider to see what the updates are and try to figure out what new security controls are available either in your subscription or maybe one above that that might be useful for your environment something that wasn't possible six months ago may be possible today and unfortunately securing the cloud may cost extra just like on prom there may be some security features that you need to have because you have a high security environment it may cause some of the additional money for that so make sure you budget for that when you're going through the negotiations with your cloud provider so if you liked our talk please submit an evaluation we will be going to the choral room for wrap up right after this and the presentations will be on 8e security that'll work very shortly that's been our time thank you very much for yours [Applause] you [Applause]

Info

Channel: Black Hat

Views: 11,534

Rating: 4.9796953 out of 5

Keywords:

Id: SG2ibjuzRJM

Channel Id: undefined

Length: 50min 23sec (3023 seconds)

Published: Wed Jan 15 2020