Microsoft’s Threat Intelligence Center (MSTIC) has detected further activity from NOBELIUM (Read the blog article from Microsoft Security here)
NOBELIUM is the group responsible for the SolarWinds breach earlier this year, this sent waves through the MSP community, which showed that even the large corporations could be attacked, breached and exploited on the global stage.
NOBELIUM used privileged accounts of service providers to move laterally between cloud environments, using the RMM tools and the MSPs delegated permissions to gain access to customer systems and enable wider attacks.
Microsoft are advising CSP partners to adopt stricter account security practices.
How does Atria manage our Microsoft 365 Tenants
Multi-Factor Authentication
For the account using the Delegated Partner Access, we require Multi-Factor to be configured. You cannot enable our Microsoft Online service with your Partner admin account without multi-Factor authentication being enabled.
Secure Application Model
The Atria Microsoft Online service was built using the Microsoft Secure Application Model – Each function used, whether it be Microsoft Online, Exchange Online, or Graph, all generate Tokens on the fly using the Microsoft Secure App Model.
Individual User Permissions
Our Microsoft Online service has been configured to operate with least required Graph permissions. Users within Atria can be granted allow/deny access to functions, users then no longer require direct access to Microsoft administrative accounts – By using Atria, you can restrict permissions for your team to ensure extra security and the right levels of access across your team.
Custom Script running against Microsoft Tenants
Atria allows you to customize scripts to run against Microsoft365 tenant at provisioning time – This means that if you require a change done across all of your tenants, or a security standard to be applied to each, Atria will ensure that baseline standard is set against your customers, for now and for all future customers.
A good example of this is enabling Security Defaults, setting up security alerts to go to a specific user, configuring Auditing, the list goes on – If you can automate it through Microsoft Online PowerShell or Microsoft Graph, our Customer Script runner can apply it for you at onboarding time.
Microsoft Assistance for CSPs
Microsoft is currently piloting further tools to assess your security posture in regards to Delegated Rights – This will be a tool to run so you can see what is and isn’t being used.
A recent benefit offered is a free 25 user 2 year subscriptions to Azure AD Premium P2 – Which is a license which provides advanced Identity Protection and Management. A core benefit of Azure AD Premium is Conditional Access and Identity protection. How can this help?
Conditional Access
Conditional access lets you define granular policies for access to Microsoft365 services down to the Who, What, Where and even How – related to accessing your companies data.
This enables organizations to enforce MFA, apply stricter requirements on accessing certain applications or company data from specific locations, device platforms or even which Email Client can be used to connect to Exchange Online. These policies enable your organization to enforce policies suitable to your specific use case to improve your overall security posture.
Identity Protection
Identity Protection is a product which provides insight into the risk of individual users. Microsoft Assigns a risk score to each user login, which can be used in the Conditional Access Policies as described above.
Risk is a tricky thing, but since Microsoft has billions of datapoints – It’s relatively accurate, it primarily works on the premise of identifying impossible movement – As a user, I only log in from New Zealand, If it saw me login from London in the United Kingdom in the next hour, it would see that I’ve recently logged in from New Zealand, and assign a high risk score – Which you can either report on or block using Conditional Access.
More info on this is located on Microsoft’s Documentation – https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
Privileged Identity Management
Within Microsoft 365, there are many roles – From Exchange Administrator to Global Administrator. Privileged Identity Management (PIM) is for enabling just in time access of these. This means that the accounts sit without these rights, but can have activated “elevated” permissions as needed on a set timeframe.
This enables your business to require approvals on elevated rights, enforce MFA, and also require Justifications as to why these roles are being activated. This adds another layer of protection on your tenancies, protecting the core roles from being activated always without oversight.
We strongly recommend all CSPs to apply for and use the free Azure AD Premium P2 licenses.
- Reduce the number of administrators needed within your organization by utilizing Atria
- For users that still require administrative access to tenants, ensure that Azure AD Premium P2 licenses are applied.
- Set up conditional access policies that will work to protect your business.