7. Your MFA is broken

Career stage: For this story, it’s one of the last customer projects I ran as an architect before joining Microsoft. I had a series of successful projects in the bag and learned about a range of different technologies across the security landscape. One of the fun parts of the Architect role is to hold customer envisioning sessions where you get to discuss new and future technologies and how they might impact the customer. During these sessions the conversations can go in many different directions, this one in particular circled back to the key identity question: are we doing it right?

?

Challenge: By now I had realized that each diagram I had created in the past leads to new ways to think about and tackle problems I am presented with. In this case I was drawing out some of the virtues of incorporating Azure AD into the customers’ existing AD environment, including the use of Azure AD App Proxy to replace traditional VPN access to apps that are not yet cloud based. They were keen to learn more, especially as they were already using Azure AD as part of their Office 365 deployment but had not yet used the built-in Multi-Factor Authentication (MFA) capabilities.

The customer had several other identity and security solutions deployed over the last few years to protect their sensitive information. With offices around the world, they need to protect over 60,000 users. I was asked to review their existing identity infrastructure, including their global deployment of MFA using a specialized and dedicated MFA solution, which they were very proud of deploying several years before and enjoying the security benefits it gave the company. I was given the following key scenarios that were considered the main reasons for securing identities with MFA:

1. Remote access to desktops and servers: users working from home or other remote locations, with a requirement to connect directly to individual desktop computers and servers in their data centers.
2. Access to SharePoint Server: users would connect to the VPN and then connect to local SharePoint Servers on the companies’ network.
3. Access to email: when not in the office, users need to continue gaining access to email in multiple ways.
4. On their mobile phone: Both Apple iOS and Google Android were used for mobile access.
5. In any web browser: Safari, Chrome, Edge, and any other browser
6. Using the desktop application: Microsoft Outlook used on Microsoft Windows or Apple MacOS.

?

The project started and we had just a few weeks to collect the information, review the findings, and make the recommendations to the customer. We started by gathering some basic information about the systems in use, from licensing data to reports about user activity. I spoke to the administrators for each system to confirm the configuration setup and recorded the findings. Once completed, we reviewed the outcome and wrote up the report to present to the customer.

It is never great to give bad news, but you can’t always avoid it:

• Good news: I can save you $2M USD a year
• Bad news:???You have a gapping big hole in your MFA
• Good news: You already own the solution that will solve this gap

Here is the type of simple diagram I used to explain the current configuration of the customers identity management system (within the scope that I was given access to). See if you can spot the issue(s) here:

How many can you count?

Let’s break these findings down:

1. Saving $2M USD per year: I'm not against the use of any particular security product, so long as you are getting real value from it, and it works to reduce your risks. In this case, the customer was paying to protect their company from identity-based attacks. They had 60,000 users but only 40,000 licenses with the MFA solution provider. Of those, only 28,000 licenses had been assigned to active users, and only 16,500 users were actually using any of the solutions protected by MFA at some time in the last 30 days.

The customer had a few choices:

• Only buy 16,500 licenses, to protect active users (saving approx. $1.2M USD per year)
• Switch to an alternative solution that is built-in (Azure AD, saving $2M USD per year)

2. The gaping hole in MFA: The money is an attention grabber but knowing the complex nature of IT and Security budgets, it wasn't likely to impact decisions overnight. However, finding out that there are several ways that an attacker can bypass your security controls, that can be a bigger wake up call to act. In this case there were two ways and attacker could take advantage of this customers setup:

• Whilst the customer had protected email that was access via a web browser or a mobile device, they had neglected to protect email access via a laptop or desktop computing running Microsoft Outlook. For this method, only a UserId and password was required. Getting a user’s password these days is much easier than you can imagine. An attacker that can successfully log into email as the user, has full access to not only read all the many years worth of sensitive data that exists in the mailbox, but they can also interact with inbound and outbound email daily as they stay persistent until the password is changed, or another security control is enforced.
• The customer also took a common step of allowing MFA-bypass if the user was logging in from any of the known corporate IP address networks. Whilst this is seen as a convenience for the user, by reducing how often they are prompted for MFA, it opens a wide opportunity for the attacker to gain access with only the UserId and password. Gaining physical access to any one of the global locations wouldn't be that difficult for any skilled Red-Team, or true attacker.

3. Deploy Azure AD: The good news is the customer already had Azure AD integrated with their AD to synchronize user accounts into Office 365 and adoption of the Azure cloud platform. This solution already has a wide range of MFA and Conditional Access policies available to restrict not only the gaps in their existing MFA design, but entirely replace their use of both MDM and MFA solutions (potentially saving more than $2M USD per year). By raising awareness of this option, the customer can now make an informed decision on how best to consolidate their identity platforms, save some costs, and most importantly increase their security across multiple systems.

In reality this short project saved the company a lot more than $2M USD per year. Based on the latest Cyber Signals report by Microsoft, experts track and fight Business Email Compromise (BEC) attacks linked to over $2.7 billion in losses (reported to the FBI last year alone).

There are a few other issues you might see in this diagram, happy to use the chat box to discuss these if you can spot them!

?

What I Learnt: Asking questions, gathering data, and replaying the answers, can lead to the discovery of some unknown unknowns. Belief in the security controls set up in the past is no good if you don't constantly test the assumptions and look for new ways to circumvent the security boundaries. Zero Trust relies on testing your assumptions, verifying every device and every identity, and adding additional defensive boundaries to the most sensitive data.?

You can see some other examples of my approach of using diagrams to explain complex identity and security topics here:

• Mastering Identity and Access Management (whitepaper)
• Using Azure AD to protect AWS: https://aka.ms/AWSIdentity
• Using Microsoft Security to protect AWS: https://aka.ms/AWSSecurity

Join me next time as we delve into the not so modern problem of "Data Loss Prevention".