Close

Join the Insider Program

Explore exclusive HealthTech coverage and enjoy early access to the latest stories.

Click to Join Today
Jul 22 2024
Security

How to Mitigate Damage from Credentials That Should Be Inactive

Bad actors use information from ex-employees. Here’s what you can do about it.
by

Tanya Candia is an international management expert, specializing for more than 25 years in information security strategy and communication for public- and private-sector organizations.

The U.S. Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center recently highlighted how a bad actor was able to authenticate to a state government’s internal VPN access point using the still-valid credentials of an ex-employee.

In a recent alert, CISA and MS-ISAC outlined the threat and the tactics and techniques used in the criminal plot.

A state government organization was notified that the login credentials of a former employee were posted on a dark web brokerage site. The employee’s information had not been promptly removed from Microsoft Active Directory, now called Entra ID. An assessment of the organization’s network — including on-premises as well as the Azure environments where sensitive data was held — disclosed that the threat actor was able to successfully authenticate to the VPN.

Click the banner below to learn what your peers are doing to secure networks.

CTA-CDW-PropResearch-desktop CTA-CDW-PropResearch-mobile

 

What the Bad Guys Did to Gain Access

To better prepare for similar attacks, state and local agencies must fully understand these adversaries’ tactics:

  • Constantly searching for administrative accounts that are inadequately protected or not disabled
  • Initial access techniques. Gathering victim identity information and credentials
  • Connecting to a virtual machine using the victim’s VPN to blend in with legitimate traffic and evade detection
  • Credential access. Obtain user account credentials, likely from a virtualized SharePoint server where they were stored locally
  • Privilege escalation. Using privileges of the compromised account synced to on-premises networks and Azure AD
  • Executing Lightweight Directory Access Protocol queries of AD via a virtual machine connection, collecting user and host information as well as trust relationship information, and authenticating to services

One mistake can result in potentially devastating consequences. Failing to immediately remove a privileged account from the environment left a door open to the threat. With this information, a bad actor could take advantage of the unique nature of Azure AD to gain access throughout the network.

 

19.2M

The total number of U.S. state and local government employees in 2022

Source: Source: statistica.com, “Total number of government employees in the United States from 1982 to 2022,” Nov. 3, 2023

This is because, by default, all users of Azure AD can register and manage every aspect of the applications they create. This includes determining and approving what organizational data and services the app can access. Such default settings can enable a criminal to access sensitive information, move laterally in the network and escalate privileges to conduct malicious actions.

READ MORE: Bad actors seek payday through ransomware attacks.

What the Good Guys Can Do to Protect Access

Once agencies and their network defenders are fully aware of how the bad guys work, CISA and MS-ISAC encourage security groups to fortify against similar attacks. Mitigation is largely focused on protecting credentials (especially for privileged accounts) and reducing the attack surface.

Administrative accounts:

  • Review current administrative accounts to make sure each is really needed. Remove any accounts deemed no longer necessary.
  • Restrict the use of multiple admin accounts by a single user.
  • Create separate admin accounts for on-premises and Azure environments.
  • Implement least-privilege principles.
  • Use phishing-resistant multifactor authentication.
  • Establish policies and procedures for prompt removal of unnecessary accounts and groups.

Passwords:

  • Implement strong password management alongside other attribute-based information, such as time of access, user history and geolocation.
  • Require complex passwords for all users — and enforce as passwords expire.
  • Store credentials in a vault or other privileged account management solution.
  • For products that come with default passwords, require vendors to provide a plan for eliminating them.

Tenant settings:

  • Evaluate current user permissions in the Azure tenant to restrict potentially harmful permissions.
  • Only allow admins to create tenants.
  • Ensure that only admins can access the Azure AD portal.
  • Use the Secure Cloud Business Applications assessment tool to verify that tenant configurations conform to the security configuration baseline.
  • Use tools that identify attack paths and shut them down before they are exploited.
  • Review the security recommendations from Microsoft Defender.

EXPLORE: Governments coordinate solutions for zero-trust defenses.

How Government Agencies Can Reduce Their Attack Surface

All of those mitigations help protect organizations by establishing safeguards that prevent and deter threat actors from accessing privileged accounts, escalating privileges and accessing further information. Additionally, it is important to ensure that not only the on-premises environment but also any cloud-based environments such as Azure are adequately protected and monitored.

Attack surface:

  • Maintain a robust asset management policy.
  • Follow routine patching cycles.
  • Do not allow personal devices to connect to the network.
  • Collect security-focused logs.
  • Enable complete coverage of tools across the environment for thorough analysis of anomalous activity and remediation of potential vulnerabilities.

These mitigations, along with network segmentation, reduce the attack surface available to bad actors, and allow for early detection and prompt response to attempts to wreak havoc. Vendor recommendations from CISA and MS-ISAC include prioritizing security by default configurations and immediately mitigating products that have not been patched in accordance with CISA’s Known Exploited Vulnerabilities catalog.

All agencies are encouraged to adopt the CISA Cross-Sector Cybersecurity Performance Goals, a set of cybersecurity practices directed at reducing risk. These help organizations prioritize their investments and leverage scarce resources to focus on essential actions that have the biggest impact on security.

Finally, agencies are encouraged to exercise, test and validate their security programs against threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework.

francescoch / Getty Images

More On

Related Articles