Learn how with hybrid identity a secure/stable on-premises AD is the foundation for a secure Azure AD. Review how a typical attack/privilege elevation scenario works.
- [Narrator] As someone tries to compromise your environment, there's a number of steps that they usually take. Obviously, every time and every occurrence is going to be a little bit different, but there's certain things that tend to be consistent. And, the beginning, of course, is how they gain entry to the network. A lot of times, this happens with compromised credentials, and, phishing attacks, or, attempts on normal users, and employees, are a really a common way that happens. Many times, people get an e-mail, that looks very convincing, and, they click on it, and think it's actually a login prompt, for example, and provide valid credentials.
From there, the attacker begins to figure out how they can actually use those, and get on to the network. And once they're on the network, they start trying to expand their domain, or expand their reach. And, the way they do this, is they start doing, what's called, reconnaissance of the network. They want to map out all the potential targets, and, to do this, they often use really simple tools. As simple as, looking at DNS servers, for example, or, looking through a compromised e-mail inbox, for e-mails from IT, that might talk about other systems. They use tools that can anonymously detect where other people are logged on, and all sorts of other things like that.
And, the goal here, is, as they learn about all these different systems, is to figure out how to gain access to those systems, and to begin escalating privileges, with the ultimate goal, of owning the entire environment. As the attacker starts to escalate privileges, they also want to move laterally, across the environment. So, it's not just on the one host, or series of hosts they've compromised, but moving at those same level of privileges, and eventually higher levels of privileges, across the entire environment. So, one of the first steps to doing this, is starting to have administrative access to the PC or server or servers, that have been compromised.
And, as they gain this level of access, it enables them to do other things, to gain additional credentials. You can think of this as a stepping stone, to being able to move laterally across the entire network. Each time the attacker moves to a new machine, or a new host, they're looking to see if they can't escalate privileges, and have an even higher level of access. As they figure out how to get those higher levels of access, they repeat the entire process again, only now, using that higher amount of access, to move across the entire environment. Eventually, what happens is, the attacker becomes successful, and they gain Domain Admin access to your Active Directory environment.
At that point, they effect-fully have complete control of the entire network, and they can use this to do anything they want. They can create new administrative accounts, they can access, practically, any host on the network, or make the changes necessary to grant themselves access. They have access to all data, so they can use that access to start exfiltrating data, and, ultimately, what happens here, is this is the end game. They own the entire environment. They can do whatever they want. Often, with these processes, it takes many months for this to happen. The attacker gains access to the network, and they remain there, waiting for the opportunity to take the next step.
This is often known, in industry terms, as a persistent threat, because the attacker's there for a longer period of time, and it's often very hard to detect that. Microsoft's Advanced Threat Analytics, or ATA, is all about finding this, and looking for scenarios where this has happened, where machines have been compromised, and what's going on. And the goal, of course, is that ATA detects this, when the attacker enters the environment, or as close to when that happens, as possible, and detects the attempts to escalate, not detecting the end game, where they've owned the entire environment.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security