Microsoft Sentinel SOC 101: How to Detect and Mitigate Credential Reuse Attacks with Microsoft Sentinel
Recycle
Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101
In the ever-evolving landscape of cybersecurity threats, identity-based attacks are on the rise. Attackers often target compromised accounts to escalate privileges or gather intelligence for their malicious activities. This is why identity has become the new security perimeter. To mitigate the risk of data breaches, organizations must make it harder for attackers to steal identities and implement tools that facilitate the detection of compromised accounts.
In this article, we will explore the best practices and strategies for detecting and mitigating credential reuse attacks with Microsoft Sentinel. By leveraging the advanced capabilities of Azure AD, organizations can significantly reduce the number of successful identity-based attacks.
Increase the Cost of Compromising an Identity
One of the primary reasons why identity-based attacks are successful is the vulnerability of passwords. People struggle to remember unique and complex passwords for multiple applications, leading them to reuse passwords or choose easily guessable ones. Attackers exploit this weakness through techniques like phishing campaigns and password spraying.
To make it harder for attackers to acquire and utilize stolen credentials, organizations should implement the following technical controls:
Ban Common Passwords
Start by banning the most commonly used passwords. Azure AD provides the capability to automatically prevent users from creating popular passwords, such as "password1234!" Organizations can also customize the banned password list with words specific to their industry or company, further enhancing password security.
Enforce Multi-Factor Authentication (MFA)
Multi-factor authentication adds an additional layer of security by requiring users to provide two or more forms of authentication, such as a password and a verification code sent to their mobile device. By implementing MFA, organizations significantly reduce the risk of account compromise, as stolen passwords alone are insufficient for attackers to gain access.
Block Legacy Authentication
Legacy authentication protocols, such as POP, SMTP, IMAP, and MAPI, are often targeted by attackers as they do not support MFA. Blocking these protocols eliminates a common access point for attackers and reduces the risk of account compromise. However, organizations need to carefully plan and execute the transition to modern authentication protocols to ensure a smooth migration.
Monitoring Legacy Authentication
To view all legacy authentication events:
SecurityEvent
| where EventID == 4624 and TargetLogonId != 0x0
| extend LegacyAuthentication = iif((LogonProcessName =~ "Advapi" or LogonProcessName =~ "Ssp"), "True", "False")
| where LegacyAuthentication == "True" To view all legacy authentication events from a specific user:
SecurityEvent
| where EventID == 4624 and TargetLogonId != 0x0 and AccountName == "<username>"
| extend LegacyAuthentication = iif((LogonProcessName =~ "Advapi" or LogonProcessName =~ "Ssp"), "True", "False")
| where LegacyAuthentication == "True" To view all legacy authentication events within a specific time frame:
SecurityEvent
| where TimeGenerated > ago(1d) and EventID == 4624 and TargetLogonId != 0x0
| extend LegacyAuthentication = iif((LogonProcessName =~ "Advapi" or LogonProcessName =~ "Ssp"), "True", "False")
| where LegacyAuthentication == "True" To view the top 10 users with the most legacy authentication events:
SecurityEvent
| where EventID == 4624 and TargetLogonId != 0x0
| extend LegacyAuthentication = iif((LogonProcessName =~ "Advapi" or LogonProcessName =~ "Ssp"), "True", "False")
| where LegacyAuthentication == "True"
| summarize count() by AccountName
| top 10 by count_ To view all legacy authentication events from a specific source IP address:
SecurityEvent
| where EventID == 4624 and TargetLogonId != 0x0 and IpAddress == "<source IP address>"
| extend LegacyAuthentication = iif((LogonProcessName =~ "Advapi" or LogonProcessName =~ "Ssp"), "True", "False")
| where LegacyAuthentication == "True"Protect Privileged Identities
Users with administrative privileges are prime targets for cybercriminals due to their access to valuable resources and sensitive information. To minimize the risk of compromising these accounts, organizations should restrict their usage to administrative tasks only. Just-in-time privileges can further enhance the security of administrative identities by requiring approval before accessing sensitive resources and time-bound access.
Detect Threats Through User Behavior Anomalies
While technical controls can reduce the risk of a breach, determined adversaries may still find ways to infiltrate an organization's systems. To discover and respond to threats effectively, organizations need the right data and tools to uncover patterns across different data sets and timeframes.
Event Logging and Data Retention
Capturing and retaining relevant data is crucial for detecting and investigating anomalies. Organizations should ensure they comply with privacy regulations and contractual obligations when determining the types of data to store and the retention period. Storing a sufficient amount of data enables organizations to identify patterns, even in recent behavior, by comparing it against historical information.
Leverage User and Entity Behavioral Analytics (UEBA)
User and Entity Behavioral Analytics (UEBA) employ artificial intelligence and machine learning to model typical user and device behavior. By establishing baselines, UEBA solutions can identify anomalies and assign risk scores to activities that deviate from the norm. Analyzing large data sets and prioritizing high-risk alerts enables organizations to detect potential threats and respond promptly.
Assess Identity Risk
To make informed decisions about security controls and measures, organizations need to assess their current identity risk. Penetration tests and password spray tests can help uncover vulnerabilities and highlight weak points in the organization's security posture. Conducting simulated phishing campaigns can also provide valuable insights into user awareness and susceptibility to social engineering attacks. Entra Identity Protection can assist in identifying users at risk and monitoring risky behavior as organizations strengthen their security controls.
Summary
Identity-based attacks pose significant threats to organizations' security and confidentiality. By implementing the best practices outlined in this article and leveraging the capabilities of Microsoft Sentinel, organizations can effectively detect and mitigate credential reuse attacks. Increasing the cost of compromising identities, detecting threats through user behavior anomalies, and regularly assessing identity risk are essential steps towards building a robust security posture.
Stay one step ahead of attackers by prioritizing identity security and adopting proactive measures to safeguard your organization's critical assets. With Microsoft Sentinel and Azure AD, you can protect your identities and ensure the integrity of your digital ecosystem.
Remember, maintaining a strong security posture is an ongoing effort, requiring continuous monitoring, assessment, and adaptation to emerging threats.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]