?? May Newsletter 2024
If the pollen count in the Northeastern United States is any indication, those April showers certainly did their thing. They weren't the only clouds to cause havoc in May. At Trimarc, we've been hearing more and more chatter from our clients about their never-ending struggle with cloud security boundaries. To that end, we've made this month's newsletter nice and fluffy with MS Cloud content: A blog on enumerating Entra ID, a guidance framework for Entra ID Protection, and a CISA review of a recent MS Exchange Online intrusion.
Still have questions? Check out Trimarc's Microsoft Cloud Security Assessment offering and let us help you navigate the cloud like that dragon thing from The NeverEnding Story. (Yes, we know his name is Falcor. No hate-mail, please.)
Check out our LinkTree for all of our content and websites.
?? Trimarc is proud to present our very first remote conference: TRICON
This will be a FREE and fully remote conference that takes place in the Trimarc Discord beginning at 9 AM PT / 12 PM ET on Sunday, July 28, 2024. TRICON will have presentations from industry experts on Active Directory, Entra ID, and VMware vSphere. The Call for Papers is now open, and we invite you to submit a topic covering any of those areas listed, although other topics are welcome and will be considered.
Note: Our CFP is blind, meaning reviewers will not be aware of the submitter's personally identifiable information. The content is what matters.
Submit your topic for consideration HERE
The deadline to submit to the CFP is Midnight ET on June 7, 2024.?
This is an oldie but goodie! We've been receiving some love for a white paper that Jim Sykora wrote back in 2022 that is still useful today (unfortunately, that says a lot about enterprise AD architectures).
White Paper: Ten Ways to Improve AD Security Quickly
SME Shop Talk = Recent news and random things we talk about in the Trimarc Security work chat that are relevant to your business.
"A Microsoft open-source initiative aimed at helping defender teams to arm responders with the knowledge to properly respond to compromise of Microsoft Entra Tenants. Although some example hunting queries for Microsoft Sentinel and Microsoft Defender XDR Advanced Hunting are provided in this guidance, the advice and recommendations are designed to be used by anyone, regardless of security technology stack. This guidance should be shared with internal response teams or incident response partners."
"Entra ID / Azure AD enumeration is not a new idea. Microsoft can change the name, but these techniques continue to persist. There have been a number of enumeration tools dating back to the inception of Azure AD all leveraging different techniques to perform similar reconnaissance techniques. Two of the most modern and up to date tools are AADInternals and OneDrive User Enum. Both tools were showcased last year at DEFCON 31."
"In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China in pursuit of espionage objectives—accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon."
"With Russia's full-scale invasion in its third year, Sandworm (aka FROZENBARENTS) remains a formidable threat to Ukraine. The group’s operations in support of Moscow’s war aims have proven tactically and operationally adaptable, and as of today, appear to be better integrated with the activities of Russia’s conventional forces than in any other previous phase of the conflict. To date, no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia’s military campaign."
AT&T has launched an investigation into the source of a data leak that includes personal information of 73 million current and former customers. In a news release Saturday morning, the telecommunications giant said the data was “released on the dark web approximately two weeks ago,” and contains information such as account holders’ Social Security numbers.
"Last month news broke that MITRE, best known for its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, was breached through Ivanti Connect Secure zero-day vulnerabilities (https://www.darkreading.com/vulnerabilities-threats/cisa-orders-disconnecting-ivanti-vpn-appliances-what-to-do). The hackers accessed its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and development network."
Meet the Trimarc Security crew IRL at an upcoming event! Grab some stickers, a Backdoors & Breaches Trimarc expansion pack, or your very own deadly & adorbs Ignis the Dragon squishy. ??
?? BSides Dublin May 18 in Dublin, Ireland
Trimarc is back to sponsor this fantastic event, and CTO Sean Metcalf will be speaking about the challenges of Identity Security. He'll also be playing a little game called, "How many Trimarc Expansion Decks can he fit in his luggage without an overage charge?"
?? Blue Team Con September 6-8 in Chicago, IL
We're proud to be a Platinum Sponsor at BlueTeam Con this September. Come visit the Trimarc booth and grab a Backdoors & Breaches Trimarc expansion pack!
领英推荐
?? Sean & Jake's Talks from BSides Charm
Level up your security for AD & Azure AD with some recent talks presented by Trimarc team members at BSides Charm in April. Sean Metcalf spoke on the topic of "The Problem with Identity Security & How to Fix It." Jake Hildreth had to give a photosensitive trigger warning at the beginning of his talk due to some Super Happy Fun Slides, which were very on-brand for his talk titled "Protect Your Most Sensitive Users With This One Weird Trick!"
You can view the slides for their talks at:
(We'll update that web page with links to the talks once BSides Charm has published the recordings)
Webcasts, Podcasts, Blogs, Twitch, YouTube, we're suckers for a good stream or educational content piece. We hope you enjoy this month's roundup of spicy educational tidbits.
On-Demand Webcast: 10 Ways to Secure Azure AD / Entra ID
On April 3, Director of Services Scott Blake and Senior Consultant Brandon Colley gave a webcast on the approach and process for securing your Entra ID tenant using the same concepts applied to On-Prem Active Directory environments. You can view the full webcast in the video below, or on YouTube at https://youtu.be/hVaRRRQQ66M
Wiz bang exploit slinger Spencer Alessi (@TechSpence) was gracious enough to stop by to (try to) save our hosts from themselves.
It can't rain all the time.
The MCSA identifies issues in your Azure AD (now Entra ID) & Microsoft Office 365 tenant that attackers could leverage to access data, escalate permissions, and persist. [Learn more]
The perfect blend of a Red & Blue team engagement.
The ADSA assesses the security of AD environments, delivering prioritized, feasible, actionable recommendations to enhance enterprise security. [Learn more]
Even if the Matrix has you, we have your back.
The VISA?engagement involves the analysis of the current VMware vSphere Virtual Infrastructure (vCenter & ESXi) configuration with a specific focus on Administration, Configuration, and Security Controls. [Learn more]
Your Warhammer in the battle for Active Directory and Identity Security.
A security posture analysis product that provides visibility into the most important security components of Active Directory, providing at-a-glance insights whether you have one or hundreds of AD forests. [Learn more]
Interested in talking to the Trimarc technical team about our security assessment services? Please reach out to us here:
?? Trimarc --?From Trimarcisia, “feat of three horsemen,” an ancient Celtic military cavalry tactic where there was always a rider ready to mount the horse of a fallen soldier.
Want to receive the Trimarc Dragon's Breath newsletter by email?
Subscribe?at?https://www.trimarcsecurity.com/subscribe