The pace and diversity of cyberattacks are on the rise. Recently, we have seen high-profile incidents of ransomware, including the recent Colonial Pipeline attack, and a new vector of attacks leveraged through software products that were compromised (Kaseya, SolarWinds), and then that software was used to attack multiple targets. Gone are the days of a single hacker going after organizations. Recent attacks have provided substantial evidence of state-sponsored cyberattacks. The trend is clearly towards increasingly sophisticated attacks and an increased volume of attacks. This should not be a surprise to anyone in Information Technology (IT), as increases in complexity and quickening of the pace of change have been with us for decades now.

 

Perimeter based security

IT organizations had been extremely focused on securing the perimeter of their organizations. The assumption of securing the perimeter is that you can draw a circle around your organization’s networks, and that effective security can be accomplished by protecting anything that comes or goes from that circle.

Figure 1: Securing the perimeter

Zero Trust / Assume Breach

Unfortunately, if an organization focuses specifically on securing the perimeter, they do not effectively consider the risk that their systems (those within the circle) may represent. This is where the zero trust security model (also known as perimeterless security) becomes relevant. The concept of the zero trust security model is that all devices should not be trusted by default, instead of trusting the devices that exist within the organization’s internal network (IE: inside the organization’s circle).

Other commonly heard terms in the security space are “Prevent Breach” and “Assume Breach.” Prevent Breach is focused on keeping hackers out of environments, and assume breach is focused on how to detect attacks from systems – even those that exist within an organization.

COVID-19 forced many organizations to move from users working in an office to users working from home. This shift not only moved the resources; it also blurred the boundary of what is, and is not, part of an organizations network. This shift helped to further necessitate the change in approach to security procedure in organizations.

 

 

The Cyber Kill Chain

The cyber kill chain, also known as the intrusion kill chain, is used to define common phases that occur within cyberattacks. Depending on what kill chain you are using, there are a variety of different phases that are included. Phases that are included, however, all have a similar pattern. The attack starts with external recon, and ends with the exfiltration of assets. The steps in-between vary, depending on the type of attack, but typically the attack starts with the intruder compromising a low privileged account. The low level account is then used to move up to a higher level of privileges so that they can access more secured resources, also known as privilege escalation.

Figure 2: The kill chain

 

 

Tools and good practices to disrupt the kill chain

There are a variety of tools that can be used to help to stop attackers from moving forward in their attacks. These tools provide methods to disrupt the kill chain so that the attacker cannot reach the point where they are exfiltrating information. In this article, we will be looking at the question of how Senserva (combined with Azure Sentinel) can be used to disrupt the kill chain.

Having solid processes in place can make it more difficult for attackers to advance on the cyber kill chain. As an example, exploits commonly occur through bad patch management processes. While proper patch management is not a silver bullet, it does help make it more difficult for attackers to find a vulnerability that they can exploit. To better understand patch management see the infographic available here. Covering the basics, such as good security processes, good patch management processes, and the correct tools, can go a long way to slowing down an attacker’s ability to get to the assets that they want.

Azure Sentinel Microsoft is spending more than 1 billion dollars a year in security, data protection, and risk management since 2015. In addition, Microsoft recently announced that it plans to spend $20 billion over the next five years on cybersecurity. One of these areas of investment is Azure Sentinel. For background, Azure Sentinel is a Microsoft solution designed to function as a Security Information and Event Management (SIEM) and a Security Orchestration Automation Response (SOAR). See this blog post for more details.

 

Senserva

Senserva expands the functionality available in Azure Sentinel by focusing on providing more in-depth information from Azure Active Directory and other sources. See this blog post for more details.

 

Preventing Privilege Escalation today

Senserva can help to disrupt the kill chain by identifying privilege escalation methods that involve applications that run in Active Directory.

Senserva’s solution identifies the permissions and roles that applications have, as well as users and owners of the application. Applications are often overlooked but attackers can escalate their privilege through the context of an application’s service principal and use that privilege to get access to company data that they want to exfiltrate. Senserva provides an informed view to the security administrator and can prevent these threat vectors by changing or removing access. This can stop hackers from being able to continue down this path of attack through leveraging Sentinel’s ability to perform automated responses.

 

Preventing Privilege Escalation tomorrow

Privileged Identity Management (PIM) is used in Azure to allow lower-level accounts that have access in Azure to request a temporary escalation of their privileges so that they can perform tasks that require additional rights in Azure.

Senserva is developing solutions to disrupt the kill chain through additional technologies, such as escalating privileges through PIM. Microsoft’s Security analysis for MFA indicates that they do not currently support PIM roles. Senserva identifies the PIM roles a user is assigned and the conditions of those assignments. Those roles and entitlements are added to the permissions analysis, to go further than the conventional audit process.

Summary: Covering the basics, such as effective patch management, adopting a zero trust approach, moving beyond a perimeter-based security approach, and deploying effective tooling, such as Azure

Sentinel and Senserva, can go a long way to helping to secure the assets that are critical to your organization.