Remote Working: Fewer people working on-premises doesn’t mean less risk to their identities

June 1, 2020
The original article is published on the Microsoft Tech Community Security, Privacy and Compliance Blog.

Collaborated with @Ricky Simpson.

Almost everyone has had their work-life routines interrupted by the COVID-19 pandemic. Many people are working from home for the first time, leaving vast numbers of workplaces sitting empty. It’s vital that organizations continue to protect the resources that reside on-premises. As we’ve seen already, attackers are using COVID-19 to extract information from people by preying on their fears. 

 

Two notable trends have emerged: 

 

First, the necessity of remote work has led organizations to quickly reevaluate how staff access informationThey cannot guarantee the efficacy of their users’ home network security, and a big part of how risk was identified before – as a user trying to access resources remotely – is now part of the norm post-pandemic. Organizations must balance the demands of a remote workforce as well as the appropriate security considerations.

 

Second, IT teams are under enormous amounts of pressure to maintain business continuity and spin up new technologies to enable remote workA sudden shift in priorities could increase the risk of attacks on on-premises resources going unnoticed, especially if the attacks are more subtle in nature, like network reconnaissance.

 

How can we continue to monitor risk based on user activity, and how can we continue to protect on-premises resources when we’re nearly all using cloud technologies to work through this period of uncertainty?  

Protection with Azure Advanced Threat Protection

 

As organizations shift to remote work, remote users could be connecting directly to on-premises resources, leaving open connections to corporate assets. Routers without proper and secure configuration are vulnerable. Attackers can take advantage of these and use reconnaissance techniques to, map all the users in the organization, move laterally in search of users and assets to exfiltrate, and ultimately gain persistence in the environment.

 

Organizations need to strengthen their cloud defense strategy during COVID-19; however, it is important to protect on-premises environments as well. Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that leverages on-premises Active Directory (AD) signals to protect on-premises identities, detect and investigate lateral movement of on-premises attacks, and identify compromised identities and malicious insiders.  

Azure ATP can identify account enumeration reconnaissance and provide details about the resource being accessed, providing the necessary evidence and data enrichment. The attack can be quickly remediated by changing the user's password and enforcing multi-factor authentication (MFA) before further damage can be done.  

 

In addition, Azure ATP’s identity security posture assessments recognize common misconfigurations, legacy components, and dormant entities that can expose the organization. For example, Azure ATP identifies dormant accounts that have been disabled or expired in Active Directory. Organizations who fail to secure dormant user accounts are leaving the door unlocked for their sensitive users.

 

Azure ATP also provides remediation and action plans to improve the organization’s security posture. Now more than ever, when administrators have limited visibility into on-premises apps and services that could introduce new vulnerabilities, it should be top of mind to reduce the attack surface.  

 

For example, a common vector attackers can use to compromise identities are legacy protocols  such as NTLMv1. Azure ATP uncovers internal entities and applications that leverage these protocols and helps admins review the impacted entities and take the proper actions, including disabling the protocols.  

ISPM.jpg

 

Attacks play out in phases: discovery, credential accesslateral movement, and persistence. Azure ATP leverages network traffic, trace data, and events to find anomalies quickly, using a combination of behavioral known attack techniques and security signals. This provides visibility at each stage of an attack and clearly outlines the investigation and remediation steps throughout.  

detections.png

During this pandemic we’ve seen organizations  deploy Azure ATP on-premises and begin protecting their identities. It’s easy to deploy even in large environments with numerous domain controllers, and it can be done within hours, to provide immediate value and help organizations identify the attacker’s steps.   

 

 

To protect your on-premises identities, identify attackers, and reduce your attack surface, deploy Azure ATP on all your domain controllers. Throughout these unprecedented times protect hybrid and on-premise environments and ensure users are protected and can successfully work remotely uninterrupted.

 

For more information on Azure ATP, please find all documentations here. To begin a trial of Azure ATP, click here. To find out how to set up your Azure ATP instance, click here

 

Azure ATP also feeds into Microsoft Threat Protection, Microsoft’s end-to-end experience that integrates and correlates signals from Microsoft 365 security products, including Office 365 ATP, Microsoft Defender ATP, and Microsoft Cloud App Security, responding to attacks and healing affected assets across user identities, endpoints, cloud applications, and email and collaboration tools. Click here to see how SecOps teams can use signals from across Microsoft’s security portfolio to advance their threat protection capabilities.

 

Discuss this article in the Microsoft Technical Community.