User accounts and passwords are every bit as important in the cloud as they are outside of it. That might seem...
obvious, but nevertheless, it's important to call out because there have been repeated authentication failures in the cloud that led to serious consequences.
For example, the July 4, 2018, attack on Timehop affected the data of 21 million users and was the result of a single stolen administrative credential. By using one compromised administrator account, attackers were able to create a new user account, grant themselves heightened permissions, conduct targeted reconnaissance on the environment, and ultimately collect and exfiltrate that data.
And this abuse of cloud access controls was not a unique occurrence. Safeguarding cloud accounts and credentials can be more complicated than with on-premises or legacy environments.
First, cloud environments are often directly internet-accessible, whereas an internal host or application account is usually accessible only via a known, defined channel or gateway, such as a VPN or one of a few tightly gated services. This can make feasible types of attack that are harder to pull off -- or harder to hide if conducted -- in an on-premises context, such as password spraying.
Second, many of the defenses and countermeasures organizations have in place, such as enhanced authentication, cloud access control, password quality checks and enhanced logging capabilities, don't always extend directly into cloud environments.
Authentication and cloud access control are important elements to think through carefully and to plan around. Features provided by cloud service providers that protect, lock down or otherwise bolster account security should be of significant interest to practitioners. Cloud access control should be understood by -- and be in the toolbox of -- security practitioners whose organizations make extensive use of the cloud. Two features security professionals can take advantage of are Password Protection and Smart Lockout for Microsoft Windows Azure Active Directory (AD).
Password Protection and Smart Lockout for Azure AD
In June 2018, Microsoft announced two features to improve the security of user accounts operating in Azure AD. These cloud access control features offer Azure customers the ability to defend against several commonly employed attack scenarios that any production cloud deployment should protect against -- in particular, password spraying attacks.
Password spraying refers to a situation in which an attacker tries one or more passwords across a large user population. In traditional brute-force cracking password attacks, a malicious actor attempts numerous guesses to determine the password of a single user. A password spraying attack instead attempts the same password across a large number of users hoping to find accounts that use that particular password.
From an attacker's point of view, the advantage of this technique is that he can avoid triggering lockout features or other security mechanisms that go into effect when a given user has tried and failed multiple login attempts. Password spraying works around this by attempting to access multiple user accounts instead of hammering on the same user's account over and over.
Azure AD Password Protection prevents users from choosing a password that is on -- or is a permutation of -- a sizeable list of weak passwords frequently used in password spraying attacks. For example, a password like P4$$w0rd! would not be allowed even though it might otherwise meet the complexity requirements, such as using a combination of capital and lower-case letters and including numbers and special characters.
By weeding out problematic passwords like these, the passwords users choose will be of higher quality and more resistant to attack. This tactic can help prevent password spraying, as it will preclude users from selecting the passwords that are most effectively used in these types of attacks.
Smart Lockout provides the ability to recognize login attempts from suspicious or known-bad actors, blocking those login attempts, but not those from actual, legitimate users. It does this by looking at cloud intelligence, such as the analytics it collects about the device type, past login behavior, number of sign-in attempts and other parameters.
Using this method, companies can differentiate between patterns that are likely to be malicious and weed them out. This also helps prevent password spraying by identifying and eliminating login attempts from bad actors.
Considerations for your environment
These two Microsoft AD features in tandem can reduce the likelihood that password spraying will be successful when employed against cloud deployments, as well as improve the profile of your user authentication. The question for savvy practitioners is whether -- and how -- to evaluate these services for potential use and how to make the most of them.
First, neither of these tools is a panacea for all your account woes. For example, while it will absolutely help provide protection against password spraying and help improve password-based authentication, it's not two-factor authentication.
Multifactor authentication offers advantages beyond these services. It's always prudent to consider multifactor authentication for administrator accounts, which is free in Microsoft Azure. Likewise, multifactor authentication may be appropriate for user accounts depending on the organization's policy and risk tolerances. Also, employing these services doesn't absolve you of the need to pay attention to access attempts, suspicious access patterns or other information that you may already review.
That said, there's relatively little downside to employing these services and customizing them to best suit your environment. For example, you can customize the Smart Lockout threshold -- the number of attempts that can be made before the lockout occurs -- as well as the duration of the lockout period. Depending on your specific needs, you may wish to tailor these to your organization.
Additionally, you can add banned passwords to create a custom, extended list for your organization; for example, you might wish to prevent users from using passwords that include the company's name or derivations of that name. Doing this ensures that you not only get the full value of what Microsoft provides out of the box, but that you also build upon it to offer even better protection for your users.