Authorization Token Staging

Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active.

When an employee leaves the organization, a formal process should be followed to ensure all equipment is returned, and any associated accounts or access is revoked.

Multi-Factor Authentication (MFA) is a critical component of a comprehensive security strategy, providing an additional layer of defense by requiring more than just a password for system access. This multi-layered approach significantly reduces the risk of unauthorized access, especially in cases where an attacker has obtained or guessed a user’s credentials. MFA is particularly valuable in environments where attackers may have gained access to user credentials via phishing, data breaches, or social engineering.

For organizations, enabling MFA across all critical systems is essential. This includes systems such as Active Directory, VPNs, cloud platforms (e.g., AWS, Azure, Google Cloud), internal applications, and any resources that store sensitive data. MFA ensures that access control is not solely dependent on passwords, which are vulnerable to compromise. Systems that are protected by MFA require users to authenticate via at least two separate factors: something they know (e.g., a password), and something they have (e.g., a hardware token or a mobile device running an authenticator app).

The strength of MFA depends heavily on the factors chosen. Hardware-based authentication devices, such as FIDO2 or U2F security keys (e.g., YubiKey), offer a higher level of security because they are immune to phishing attacks. These keys use public-key cryptography, meaning that authentication tokens are never transmitted over the network, reducing the risk of interception. In contrast, software-based MFA solutions, like Google Authenticator or Microsoft Authenticator, generate one-time passcodes (OTPs) that are time-based and typically expire after a short window (e.g., 30 seconds). While software-based tokens offer a strong level of security, they can be vulnerable to device theft or compromise if not properly secured.

To maximize the effectiveness of MFA, organizations should integrate it with their Identity and Access Management (IAM) system. This ensures that MFA is uniformly enforced across all access points, including local and remote access, as well as access for third-party vendors or contractors. Through integration, organizations can enforce policies such as requiring MFA for privileged accounts (e.g., administrators), as these accounts represent high-value targets for attackers seeking to escalate privileges within the network.

It is equally important to implement adaptive authentication or risk-based MFA, where the system dynamically adjusts its security requirements based on factors such as user behavior, device trustworthiness, or geographic location. For example, if a subject logs in from an unusual location or device, the system can automatically prompt for an additional factor, further reducing the likelihood of unauthorized access.

Regular monitoring and auditing of MFA usage are also critical. Organizations should actively monitor for suspicious activity, such as failed authentication attempts or anomalous login patterns. Logs generated by the Authentication Service Providers (ASPs), such as those from Azure AD or Active Directory, should be reviewed regularly to identify signs of attempted MFA bypass, such as frequent failures or the use of backup codes. In addition, setting up alerts for any irregular MFA activity can provide immediate visibility into potential incidents.

Finally, when a subject no longer requires access, it is critical that MFA access is promptly revoked. This includes deactivating hardware security keys, unlinking software tokens, and ensuring that any backup codes or recovery methods are invalidated. Integration with the organization’s Lifecycle Management system is essential to automate the deactivation of MFA credentials during role changes or when an employee departs.

Privileged Access Management (PAM) is a critical security practice designed to control and monitor access to sensitive systems and data. By managing and securing accounts with elevated privileges, PAM helps reduce the risk of insider threats and unauthorized access to critical infrastructure.

Key Prevention Measures:

Least Privilege Access: PAM enforces the principle of least privilege by ensuring users only have access to the systems and data necessary for their role, limiting opportunities for misuse.

• Just-in-Time (JIT) Access: PAM solutions provide temporary, on-demand access to privileged accounts, ensuring users can only access sensitive environments for a defined period, minimizing exposure.
• Centralized Credential Management: PAM centralizes the management of privileged accounts and credentials, automatically rotating passwords and securely storing sensitive information to prevent unauthorized access.
• Monitoring and Auditing: PAM solutions continuously monitor and log privileged user activities, providing a detailed audit trail for detecting suspicious behavior and ensuring accountability.
• Approval Workflows: PAM incorporates approval processes for accessing privileged accounts, ensuring that elevated access is granted only when justified and authorized by relevant stakeholders.

Benefits:

PAM enhances security by reducing the attack surface, improving compliance with regulatory standards, and enabling greater control over privileged access. It provides robust protection for critical systems by limiting unnecessary exposure to high-level access, facilitating auditing and accountability, and minimizing opportunities for both insider and external threats.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Establish and maintain formal, well-communicated pathways for personnel to request resources, report deficiencies, or propose operational improvements. By providing structured mechanisms to meet legitimate needs, organizations reduce the likelihood that subjects will bypass policy controls through opportunistic or unauthorized actions.

Implementation Approaches

• Create clear, accessible request processes for technology needs, system enhancements, and operational support requirements.
• Ensure personnel understand how to escalate unmet needs when standard processes are insufficient, including rapid escalation pathways for operational environments.
• Maintain service-level agreements (SLAs) or expected response times to requests, ensuring perceived barriers or delays do not incentivize unofficial action.
• Integrate feedback mechanisms that allow users to suggest improvements or report resource shortfalls anonymously or through designated representatives.
• Publicize successful examples where formal channels resulted in legitimate needs being met, reinforcing the effectiveness and trustworthiness of the system.

Operational Principles

• Responsiveness: Requests must be acknowledged and processed promptly to prevent frustration and informal workarounds.
• Transparency: Personnel should be informed about request status and outcomes to maintain trust in the process.
• Accountability: Ownership for handling requests must be clearly assigned to responsible teams or individuals.
• Cultural Integration: Leaders and supervisors should reinforce the use of formal channels and discourage unsanctioned self-remediation efforts.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

Audit Logs are records generated by systems and applications to document activities and changes within an environment. They provide an account of events, including user actions, system modifications, and access patterns.

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

Custom or pre-built detection logic can be used to determine if a user account has authenticated from two geographic locations in a period of time that is not feasible for legitimate travel between the locations.

This detection monitors the granting of mailbox read permissions, an operation that enables a user account access to another user's or shared mailbox. By alerting on this permission change in Microsoft Defender, investigators gain early visibility into potential misuse of mailbox data and can trace both the granting account and the recipient of the access.

This detection is a default alert policy that should be enabled in all tenants by default.

In the Microsoft Defender portal at https://security.microsoft.com, navigate to Email & collaboration > Policies & rules > Alert policy. To go directly to the Alert policy page, use https://security.microsoft.com/alertpoliciesv2.

Click |+ New Alert Policy" in the top-left corner. Assign a clear name to the alert policy and select an appropriate Severity and Category. On the next page, under Activity is, search for and select “Granted mailbox permission”. Configure the remaining settings as required.

When reviewing an alert generated by this rule, select an activity row in the Activity list table to display related information. A panel will open on the right-hand side of the alert page, under “Activity details”, showing the Item (target mailbox friendly name), User (email address of the account that made the change), IP address, and timestamp. To identify the account that was granted read access to the mailbox, review the Parameters JSON output and retrieve the “Value” (object ID) located next to "User": "Name". This ID can then be searched in the “All users” section of Entra ID to identify the target user account.

From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts.

This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location.

Deploy User and Entity Behavior Analytics (UEBA) solutions designed for cloud environments to monitor and analyze the behavior of users, applications, network devices, servers, and other non-human resources. UEBA systems track normal behavior patterns and detect anomalies that could indicate potential insider events. For instance, they can identify when a user or entity is downloading unusually large volumes of data, accessing an excessive number of resources, or engaging in data transfers that deviate from their usual behavior.

Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events.