Learn how to protect against and recover from data breaches in Office 365
- 1. Learn How to Protect Against and Recover from Data Breaches in Office 365 Theresa Eller, Microsoft Premiere Field Engineer [email protected] Antonio Maio, Protiviti Senior Enterprise Architect & Microsoft MVP [email protected]
- 4. AGENDA 01 Common Attack Patterns 02 Types of Security Breaches 03 What Does a Security Breach Look Like 04 How to Investigate & Recover from an Attack 05 Protect from Future Attacks
- 6. lllllllll lllllllll Phishing Password Spray Breach Replay 200K password spray attacks blocked in August 2018 23M high risk enterprise sign-in attempts detected in March 2018 4.6B attacker-driven sign-ins detected in May 2018 John Doe lllllll
- 7. PHISHING & SPEAR PHISHING • One of the Most Common Attack Vectors • Targeted Attacks – They are formatted for you! • Attackers do their research • OS-INT (open source intelligence)
- 8. PHISHING & SPEAR PHISHING • Lots of examples… ▪ Someone has accessed your account ▪ Verify your account ▪ Renew your subscription ▪ iTunes Receipt ▪ Replies (subject starting with Re:) when you never received original ▪ Review your PayPay account ▪ Review this invoice ▪ Urgent action required…
- 9. CREDENTIAL STUFFING • So Many Passwords! • So many its Difficult for us to remember them all! • Attackers will rely on human nature! CREDENTIAL STUFFING: Re-using the Same Passwords Across Multiple Systems
- 10. ACCESSING CREDENTIALS & SAVING ON HOME PC • Exposes Credentials to Home Users • Exposes Credentials to Software that Home Users Download … like malware!
- 11. Types of Security Breaches
- 14. What Does a Security Breach Look Like
- 15. WHAT DOES A SECURITY BREACH LOOK LIKE? • Email anomalies • Emails from people/groups you don’t normally communicate with • Notifications from banks and online services you don’t normally interact with • Typos • Urgent call to action • Old contact information (old titles) • Slow computer/Slow web access
- 17. • • • External Threat Phishing Research/OS-Int Only send to smaller partners (those less likely to have good security practices)
- 18. • • • External Threat Phishing Only send to smaller partners (those less likely to have good security practices) • • • • [email protected] •
- 19. • • • External Threat Phishing Target specific executives within the organization that are likely to have access to financial information • • • • •
- 22. • • • • • • Inadvertent or Accidental Data Leak The Careless The Inexperienced The Lazy The Home Worker The Newcomer The Stressed The Disorganized
- 23. How to Investigate & Recover from an Attack
- 27. • Soon to be on by default on all new mailboxes
- 36. Protect from Future Attacks
- 37. Security features must be enabled to protect you >99% of common user compromises are preventable Most customers enable features after they’re compromised Average account secure score today is 14.65/180 Baseline Protection Simple one-click experience enables our recommended security configuration and features Baseline configuration For admins MFA enabled for Azure AD privileged roles For all users MFA enabled Enrolled in the Microsoft authenticator app for MFA Require MFA when sign-in risk is detected Block legacy authentication protocols Block logins from compromised users
- 38. threats
- 39. Microsoft Secure Score Visibility into your Microsoftsecurity position and how to improve it Insights into your security position Guidance to increase your security level
- 41. Identity Secure Score Checkout your Identity Secure Score now at aka.ms/MyIdentitySecureScore Insights into your security posture Guidance to help you secure your organization
- 42. CONDITIONAL ACCESS APP CONTROL Microsoft Azure Active Directory Analyze Session RiskCheck device compliance with Intune Check location Check user behavior Check user organization Enforce Relevant Policies with Conditional Access App Control Protect downloads from unmanaged devices with AIP Monitor and alert on actions when user activity is suspicious Enforce read-only mode in applications for partner (B2B) users Require MFA and define session timeouts for unfamiliar locations BOX.US.CAS.MS Cloud App Security integrates with: • Azure Active Directory • Azure Information Protection • Microsoft Intune to protect any app in your organization.
- 43. Unusual file share activity Unusual file download Unusual file deletion activity Ransomware activity Data exfiltration to unsanctioned apps Activity by a terminated employee Indicators of a compromisedsession Malicious useof an end-useraccount Malware implanted in cloud apps Malicious OAuth application Multiple failed login attempts to app Suspicious inbox rules (delete, forward) Threat delivery and persistence ! ! ! Unusual impersonated activity Unusual administrative activity Unusual multiple delete VM activity Malicious useof a privilegeduser Activity fromsuspicious IP addresses Activity fromanonymous IP addresses Activity froman infrequent country Impossibletravel between sessions Logon attempt from a suspicious user agent
- 44. Brute force attempts Suspicious groups membership modifications Honey Token account suspicious activities Suspicious VPN connection Abnormal access to AIP protected data Reconnaissance (65% of alert volume) ! ! ! Compromised credentials (16% of alert volume) Lateral movement (11% of alert volume) Domain dominance (8% of alert volume) Golden ticket attack Skeleton Key Remote code execution on DC Service creation on DC DCShadow 86% 38% 10% 12% Directoryservices DNS Account enumeration SMB sessionenumeration Impacted organizations: recon attacks Pass-the-Ticket Pass-the-Hash Overpass-the-Hash
- 46. MFA reduces the risk of an attack by 99.9% Have you turned on MFA?
- 47. Corporate Network Geo-location MacOS Android iOS Windows Windows Defender ATP Client apps Browser apps Google ID MSA Azure AD ADFS Employee & Partner Users and Roles Trusted & Compliant Devices Location Client apps & Auth Method Conditions Microsoft Cloud App Security Force password reset Require MFA Allow/block access Terms of Use ****** Limited access Controls Machine learning Policies Real time Evaluation Engine Session Risk 3 40TB Effective policy
- 49. Enable MFA for your Admin Accounts or, even better, use PIM 1.7% admins protected by MFA Monitor your Risk Reports Use Identity Secure Score Test passwordless sign-in with Microsoft Authenticator Turn on Password Hash Sync Pull Azure AD Logs into your SIEM systems Block Legacy Auth Modernize your password policy Block Suspicious IPs Enable user risk policy Enable sign-in risk policy Review app permissions & use MCAS 52
- 50. Thank you! Theresa Eller, Microsoft Premiere Field Engineer [email protected] Antonio Maio, Protiviti Senior Enterprise Architect & Microsoft MVP [email protected]