This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.
You’ve implemented multifactor authentication for access to your enterprise network. But what if multifactor authentication isn’t as foolproof as you’re hoping?
Are you comfortable betting your organization’s security on it?
The premise behind multifactor authentication is a good one—anybody who wants to access your network needs two or more things:
Users enter two of those (or three of them, to access especially sensitive resources), your server authenticates them, and they’re on your network. It’s more robust security than a simple username and password, and it makes bad actors work a lot harder to access your network.
That’s why multifactor authentication is such a commonly used approach in security for solving the problem of leaked or compromised credentials. But it’s not foolproof, and here’s why Recorded Future thinks you can do better.
Many multifactor authentication products, especially the ones suitable for consumer use, rely on SMS and send a code to the user’s phone in a text message. Unfortunately, SMS can be hacked or spoofed, with the result that the bad actor receives the code and is able to pass the authentication test.
Also, not all applications support multifactor authentication—that’s especially true of older systems—which leaves the door open to bad actors. There are passwordless authentication methods, but credentials are used to authenticate the system on the back end, so password security and the user’s identity can still be avenues for compromise.
Threat actors can brute force their way into accounts, defeat multifactor authentication, and breach organizations. There are many ways, unfortunately, that threat actors can accomplish this.
One way is by hijacking session cookies. Another way involves exploiting default multifactor authentication protocols. For instance, the United States Cybersecurity and Infrastructure Security Agency recently released a report warning that Russian state-sponsored threat actors were able to gain network access by taking advantage of an account set to default multifactor authentication protocols. That allowed them to enroll a new device for multifactor authentication access in their victim’s network, and then take advantage of a critical Windows vulnerability to run any code they wanted on the hacked network—with system privileges. One small mistake with multifactor authentication enabled threat actors to gain not only access but also significant control over the network.
Of course, threat actors are trying to breach thousands of networks every day. Suppose you had up-to-date intelligence that told you about their attempts all over the globe. That would give you a lot more information about them than just their IP address. Wouldn’t that help you decide whether their visit to your site was legitimate or not?
That’s the identity management model Recorded Future uses with Identity Intelligence. It arms security teams with real-time information about identity compromises worldwide so they can respond confidently, without any manual research. Identity Intelligence automates the collection, analysis, and production of intelligence from open-source, dark-web, and technology entities, including unique sourcing of malware log information. It combines that intelligence with world-class research to deliver an unmatched source of truth for identity management and authentication at a massive scale.
Identity Intelligence covers the most prominent use cases that enterprises face in a landscape of employees, partners, supply chains, and customers in an era of account takeovers and identity fraud:
It represents an important tool for securing user identity, as remote work and digital interactions across multiple channels increase the responsibilities of security and IT teams.
Recorded Future has released an integration between Identity Intelligence and Microsoft Azure Active Directory. The integration monitors new, compromised credentials found by Recorded Future, and places at-risk users into one or more different security groups, based on the client’s security policies and the nature of the compromise. For example, credentials from bulk data dumps that have been circulated before may pose a relatively low risk and warrant only an “informational” warning to the user. On the other hand, credentials stolen recently by info stealer software are at high risk and require immediate remediation by the affected users.
Microsoft Azure Active Directory (Azure AD) supports identity protection and can score user risk as low, medium, or high. The integration with Identity Intelligence complements that insight, layering more context and transparency into the risks associated with users’ identities. The easiest way to do this is by placing an at-risk user into one or more security groups based on the Identity Intelligence available from Recorded Future and pushing the details of Recorded Future’s Identity Intelligence into Microsoft Sentinel. That allows forensic teams to examine the compromised credentials and respond to any potential incidents.
Imagine how your company’s attack surface is constantly growing and your security team is seeing more events with each passing day. The team has too little context on user activity, so it can’t connect the dots between the external risk of detected threats and other insights. Its responses grow slower, increasing the likelihood that threats will slip through the cracks.
Identity Intelligence integrates with Azure AD through Azure Logic Apps. It uses one playbook to connect to Azure AD and Microsoft Sentinel and mitigate security risk by automatically positioning threat data in your Microsoft Sentinel environment. By layering real-time evidence on top of internal activity in Microsoft Sentinel, Identity Intelligence gives your security analysts the evidence they need to deal with threats.
Recorded Future is a member of the Microsoft Intelligent Security Association (MISA). It joins the independent software vendors and managed security service providers who integrate their solutions with Microsoft products to better defend against threats. Recorded Future indicators are also available as Microsoft Graph Security API indicators for use in security products from Microsoft and other partners.
Strong identity authentication is a must-have as your company faces a growing threat landscape and higher attack volumes.
Identity Intelligence from Recorded Future uses a combination of public sources and proprietary methods to help security teams to focus on the highest-risk user activity. It enables companies to address threats automatically, with out-of-the-box integrations and real-time insights for Azure AD and Microsoft Sentinel.
To learn more about the Microsoft Intelligent Security Association (MISA), visit the website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.
Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard, who has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against targets.
Since early October 2023, Microsoft has observed North Korean nation-state threat actors Diamond Sleet and Onyx Sleet exploiting the Jet Brains TeamCity CVE-2023-42793 remote-code execution vulnerability. Given supply chain attacks carried out by these threat actors in the past, Microsoft assesses that this activity poses a particularly high risk to organizations who are affected.
Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM).
Microsoft attributes several campaigns to a distinct Russian state-sponsored threat actor tracked as Cadet Blizzard (DEV-0586), including the WhisperGate destructive attack, Ukrainian website defacements, and the hack-and-leak front “Free Civilian”.
