Microsoft Active Directory Supply Chain Compromise Reflects Shifting Adversary Tactics to Exploit Identity

November 1, 2021

Identity Protection

Microsoft is having a bad month year. The industry has faced a crisis of trust with numerous challenges over the past year in securing Active Directory (AD), the IT foundation of most organizations. These challenges have included vulnerabilities with other critical Microsoft infrastructure services such Exchange (ProxyLogon, Autodiscover) and Azure (CosmosDB, OMI), and with core Windows (including several remote code execution vulnerabilities such as PrintNightmare).

Now we learn with the most recent Microsoft disclosure that COZY BEAR used a weak link in the authentication stack for Active Directory Federated Services (ADFS) to target 140 Microsoft resellers, resulting in the confirmation of 14 organizations being compromised. 

ADFS becomes critical when enterprises have to work with various cloud services and a broader ecosystem such as its supply chain. While this attack on the supply chain and Microsoft’s IT service providers may sound similar to the SolarWinds attack in 2020, the key difference is that attackers are using a common “unsophisticated password spray and phishing” technique, as opposed to exploiting legitimate software or zero-day vulnerabilities.

The theft of legitimate credentials makes such an attack campaign very difficult to discover using traditional SIEM analysis and post-event hunt methods. Microsoft put forth technical guidance to its service partners and affected customers; however, the complexity of following the steps (and reliance on customers to correctly configure systems for protection) makes it nearly impossible for an organization to respond adequately and still run its core business.  

To reduce this complexity, CrowdStrike has built the industry’s only cloud-native approach to protecting identities, specifically to ensure ease of deployment, operation and compatibility with a wide range of systems and cloud environments. 

The extension of this attack to the supply chain means that protecting immediate employees and assets for an enterprise is not enough, given the interconnectivity of all businesses, including the IT services affected in this recent attack. Supply chain attacks have risen 430% recently, as attackers find it easier to enter into an organization by the weakest points and then move laterally to the end target. To address the broadest protection for the supply chain, CrowdStrike uniquely protects not only endpoints and workloads with agents, but can also stop identity-centric threats for unmanaged endpoints and for users with federated services (e.g., Okta or ADFS).

Since credential or identity store compromise is used in nearly 60% to 80% of all breaches, we should not be surprised by attacks that continue to leverage identity-centric techniques. The solution cannot stop at implementing only post-disclosure patches, but in fact must enforce Zero Trust on every user, credential and resource.  

CrowdStrike is the only cloud-native company that can stop identity attacks in real time, without compromising user experience, as part of the core CrowdStrike Falcon® platform. We partner with a range of vendors, but securing identities is so important, we’ve built it into Falcon — effectively executing a Zero Trust security strategy with a strong foundation in identity protection.  

At CrowdStrike, we’ve worked extensively with the private and public sector on Zero Trust, and CrowdStrike is one of the largest security companies to directly align with industry standards such as NIST 800-207, which is the basis for recent government action to secure critical infrastructure.

While Zero Trust has a number of steps and key elements, organizations can be much more defensible if they can execute the following key principles (and extend this to their supply chain), even in the case of another Microsoft vulnerability:

  • Continuously verify. Always verify access, all the time, for all resources. This ensures that even if legitimate credentials are compromised (including those of service accounts), additional security can still be introduced by examining in real time not only the credential, but the context and behavioral aspects of the credential’s use. CrowdStrike ensures this occurs, without compromising the user experience, through risk-based, conditional access technology and real-time execution of machine learning analysis.
  • Limit the “blast radius.” If a breach does occur, limit the damage that the threat actor can do with that identity or compromised host/endpoint/workload. CrowdStrike uniquely enables identity-based micro-segmentation and features to understand privileges (including for service accounts). This approach reduces the burden for IT and security to maintain policy — unlike other technologies that rely on constant updating of network or policy rules. This segmentation can be done at the identity layer both on-premises and in the cloud environment.
  • Automate context collection and response. Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc.) for the most accurate response. Doing this in real time stops fast-moving threats that use lateral movement or a compromised credential. CrowdStrike’s cloud-native approach processes and analyzes terabytes of data and ensures data context can be collected from all elements — including threat intel, other vendors and cloud services — to ensure the most effective response. With CrowdStrike Store and technology partners, enterprises can rest assured they have the broadest data context that can be assimilated and acted on to deliver the industry’s most accurate response to stop identity-based attacks before they lead to a breach.

CrowdStrike is the leader in ensuring that enterprises and their supply chains are protected. Secure your infrastructure with the industry’s leading Zero Trust framework for cloud-native, identity-centric protection.

Additional Resources

Related Content