Contextualizing Identity-Based Attacks for a More Secure Cloud

Since launching Cloud Response last year, our Security Operations Center (SOC) has seen a steady increase in cloud attacks. This spring, the pace has kicked up even more. In fact, currently, our SOC is seeing nine cloud attacks for every attack at the endpoint level.

The reason is simple: The cloud offers a broader and easier attack surface than traditional on-premises hacking. Threat actors simply need to sign in the same way an ordinary user would.

These identity-based attacks are simple and relatively low-tech. Attackers can harvest credentials from dumps from compromised services or send phishing emails to trick users into giving up credentials. What’s more, although single sign-on (SSO) exists to ease friction for users, it also makes an attacker’s life easier. With SSO, an attacker only needs to compromise one set of credentials to access a whole set of services.

The uptick in identity-based attacks has caused us to look for better ways to detect them, stop them, and clean up after them. And that’s why today we’re announcing a pioneering new feature of Cloud Response for Microsoft 365 that enables all of the above: Identity Response for Azure AD. This new feature enhances the security of the Microsoft environment and any third-party applications that are connected via Azure SSO authentication.

When we spot a malicious login to our partners’ Microsoft environments, we disable the account to lock the attacker out. That’s what we’ve been doing all along with Cloud Response. But now with Identity Response for Azure AD, we’re also able to contextualize logins to the environment, allowing us to see exactly which application has been accessed.

This additional context results in a better-informed SOC response. It also means we can provide our partners and end customers with critical context and understanding of the scope of the attack and what data may have been exposed, enabling quicker remediation and guiding our partners’ and their end clients’ audit and damage assessment efforts.

Identity Response for Azure AD also protects against attacks that trick users into approving malicious applications, allowing attackers access to a tenant’s Azure environment. In these attacks, known as consent phishing, the user is prompted to allow an application to access the organization’s Microsoft resources. Doing so gives the application (and thereby the attacker) access to a set of permissions such as access to email, contacts, and files.

With Identity Response for Azure AD, Blackpoint’s SOC knows that the login happened via a malicious application and can take the necessary action to secure the environment.

When we launched Cloud Response last year, we were the first to monitor Microsoft 365 environments and take action on alerts. With Identity Response for Azure AD, we’re blazing another trail, as the only company to enrich your Microsoft 365 email events with identity information–down to the name of the app that was used–and put them in front of the SOC for response.

There’s no turning back from the cloud—yes, it increases the attack surface, but it also transforms operations and scales business. The way forward is to continue the cutting-edge development of protection, detection, and response to threats that prey on this new frontier.

Book a demo to see how Blackpoint Cloud Response, now with Identity Response for Azure AD, can protect your customers.