The Anatomy of a Cyber Attack

History repeats itself – but hasn’t completely prepared us for invisible adversaries. How you can protect yourself and your organization in this new era of clandestine cyber-attacks. 

TL:DR – Skip to the bullets and “How You Can Protect Your Organization Right Away”

Intro

By now everyone has heard the news at the end of January 2024 about the breach at Microsoft when a threat actor, Midnight Blizzard, infiltrated a “legacy non-production test tenant account and gained a foothold.” Other, equally large companies were hacked by the same actor, such as HPE. And it seemed like overnight, everyone suddenly really cares about their security posture.

My people, what happened to Microsoft and HPE is nothing new. The concept of infiltrating, attacking, and stealing from an entity larger than yourself for financial gain has been happening since the beginning of time. The only thing that has changed is the sophistication of the weapons and the evolution of the world stage.

If you don’t skip ahead - let me provide some more context and backtrack to the impetus of this post.

The Catalyst

I recently led a webinar with my cohort, Nicolas Blank, around how to “Identify and Fix Application Security Vulnerabilities in Entra ID.” We explored what happened in the Midnight Blizzard attack(s); We also discussed why Identity is important in cloud computing; why Identity Governance is crucial for maintaining data integrity and confidentiality; and the roles that Identity, Authentication and Authorization all play and how they function together.

Of course, Nic rambled on about Zero Trust for a while…guess he has the right, since he basically helped write the Manual for Microsoft’s Zero Trust Architecture. He did break down the key technical components for us though, in a way that was a little easier to understand...Then I brought things back to reality with the way typical exploits are currently trending, including all those different types of pesky injection attacks; also gave some more color around broken authentication attacks, including Session ID Hijacking, Cross-site scripting, and token cracking; and other loopholes such as incorrect logging and monitoring, which can all lead to attackers getting in and staying in longer than you want.

Then we got to some good stuff around solutions and how you can stay protected, and where you start with things like apps without role assignments, orphaned apps, Public Client Flows, outdated Authentication protocols, and that’s just the tip of the iceberg...it’s a lot, my friends, a lot for organizations to manage, but there are automated application governance tools that can help. And it’s so vitally important to seek out those tools, so you can keep up with threat actors who are always one step ahead of you.

And after spending so much time thinking about the anatomy of these digital attacks, the existential side of me started thinking…How did “we” all get here, as a society? Blindly defending ourselves against invisible attackers?

Current Landscape: 2024

For posterity, here’s a quick sketch of the current landscape: We live in an “always on” world. Everything must be connected to the world-wide-web – it’s how we pay our bills, how we purchase products and services, how we bank, heck - even how we date and find mates to cohabitate with. News, elections, wars are waged - all on the internet. It is now the fabric and foundation of life for the human species.

Countries are measured against their ability to provide broadband services. Terms like “Digital Prosperity” have been coined over the last 10 years to indicate the impact of broadband services across the globe, and some countries like Sweden have written broadband into law as a basic human right - a clear indication of the importance of the internet.

So, what happens when this foundation of our very existence, becomes unstable? When something we rely on so heavily in our personal and professional lives, what happens when we can’t trust it? How do we conduct ourselves and our businesses in a way that is effective, without fear of being compromised?

The fact is, every day companies across the globe (like Microsoft) are being compromised, infiltrated in some way, shape or form. Many organizations have no idea that there’s a nefarious character lurking inside of their “network,” snooping around for goodies in the form of data. Data is what they are after mostly, but in some cases, are phishing and trying to get someone to perform a financial transaction.

However, as with every industrial revolution, we must take the good with the bad. Humor me with a brief a historical detour which will help frame the big picture.

History Repeats Itself

Here's a quick analogy for you around industrial development, and how the onus is on us, the humans:

The Good: We see massive opportunities that the internet and broadband has ushered into the economy which is the good. Countries have used the internet to accelerate growth.

The Bad: Just like coach and train robbers back in the late 17th century curtailed the success of the first Industrial Revolution, it’s the same scenario and exactly where we are today with the fourth Industrial Revolution, and the advent of cyber threats. Only now, there’s no longer a visible, proverbial “bad guy” standing in your path and brandishing a weapon – there are threat actors lurking in your tenant, possibly siphoning data, and their presence may not even be detected until it’s far too late.

It's problematic to such an end that we have a completely new sector of IT that focuses 100% on trying to prevent cyber-attacks from happening. And still, Cybercrime is estimated to cost the world $9.5 trillion USD in damages in 2024, according to Cybersecurity Ventures. My point is - security is gargantuan. It always has been, throughout all four Industrial Revolutions, and it continues to grow at an abounding pace with no indication of slowing down.

So, the big question now is: Where does that leave us, the consumers of all things’ internet?

At least when someone breaks into your house, you can usually see pretty quickly what is missing and has been stolen. It’s not the same with information theft. Your adversary is invisible. The theft can be invisible, and you may not notice immediately. And because these threat actors are resourceful, they cover their tracks and disappear like a thief in the night, except they are virtual. The stories of people who have had millions of dollars, their lifesavings stolen because of credential theft is literally, in the millions.

It used to be easy to protect yourself. Lock your door, purchase a firearm, train in taekwondo, make sure you have a home alarm, have 911 on speed dial, etc. In a digital world, the rules are completely and utterly different. What defense strategies do you as a person, as an organization, deploy to keep yourselves "safe?"

The Anatomy of a Cyber Attack

Just to reiterate – this framework is nothing new. In the past, we IT Pros dropped firewalls in front of everything and that got us through the night. Today, however, with everything having a public endpoint and identity being the most compromised/attacked vector, how are these attacks happening? Let me walk you through it.

Reconnaissance (such a spy movie word)

It starts with hackers identifying the target organization, and then scanning for any vulnerabilities of said organization. This could be an exposed exploit in a website, an unsecured port on an endpoint, or as we have been blogging, webinaring, and harping about - risky applications in Entra ID. The great unknown - where Identity admins must now understand all things public and confidential applications.

However, there is still yet a simpler, more subtle attack vector - a human that has clicked on a link. Yes, that one. The unsuspecting team member that receives a mail with malware attached or a spoofed request to click on a link from someone they know.

Elevation

Once in, the attacker/s trawl the environment to seek out either valuable information that could be held for ransom or target systems that they can destroy, costing the organization downtime, ergo money.

Expansion

Unless they plan to bring down the organizations’ whole environment, most attackers stick around, gathering information over time. Months could go by without anyone knowing that their environment has been compromised.

Obfuscation

Like any good agent, you never leave breadcrumbs that could lead back to you. Just ask Hansel and Gretel how it worked out for them.

How You Can Protect Your Organization Right Away

Ok, enough with the history lesson and scare tactics – you might be asking yourself, “Cool story Al, but what should I do now with all of this information?” (And yes, you could’ve skipped the entire diatribe above and just read this part, but where’s the fun in that?)

Please Note: This is not a concise, step-by-step guide to improving your security. It’s just a few things that have been ingrained in my brain that I would recommend most customers do immediately, to help prevent an attack:

1. MFA - simple and very effective.
2. No Global Admins - Use Privileged Identity Management.
3. Strong Auth - If you can’t enforce #2, make sure that you force strong auth across all admin roles and admin portals. Wanna know which portals, have a look here. (Shout out to Adam Fowler.)
4. Tokens - Shorten token lifetimes.
5. Purge any elevated access often.
6. Switch on admin consent workflows and make sure that admins evaluate each request.
7. Check and recheck App registrations in your tenant.
8. Conditional Access is your best friend. Use it well.
9. Track what your admins are doing and configure alerts when they do things.
10. Continuous evaluation of your security posture.

And please, for the love of all things Zero Trust, implement an actual cyber security strategy.

In Closing

To conclude my tangent and little journey through time, I will leave you with this parting thought and piece of advice: Like building a quantum computer, it takes special skills to thwart a cyber security attack, and the average human is not equipped with the necessary skills to protect themselves from any offensive. However, there are automated tools out there that can help your organization stay secure - USE THEM.

That’s right, ENow’s AppGov tool can help you improve your security posture around many of the items on my list above. ENow’s AppGov Score is a free security assessment tool that quickly quantifies how many risky apps are lurking in/jeopardizing your Entra ID tenant. From there, AppGov Accelerator continuously monitors your environment, automating the process and providing Identity admins with reports and alerts.

The big thing here is – ENow’s AppGov tools provide you with visibility into your Entra ID environment. This puts IT teams on the offensive, admins can see what apps and threats are lurking in your tenant, so your vulnerabilities and your adversaries aren’t completely invisible anymore. You can quickly find out how many apps without role assignments you have in your Entra ID tenant. Run a report to review your App Registrations and prevent privilege escalation attacks. Easily identify apps in your tenant with Public Client Flows, and make sure they are securely configured. Automate the way you audit application usage, full-access permissions, and easily monitor roles that can consent to applications so you can strengthen your security posture immediately.

And these are just a few facets of automated Application Governance you can control for your organization, and what it’s going to take in this hyper-connected world to keep your data and the company coffers safe.

Do you know what apps are lurking in your tenant? The ENow AppGov Score is a free security assessment tool that will quantify your application governance state quickly.  In addition to providing your AppGov Score, the tool will provide a comprehensive Application Governance Assessment report that includes each test, your result and why the test matters. Sign up to get your score and assessment report in just a few minutes - Get Your AppGov Score today!