Azure Active Directory / Microsoft 365

Practical Protection: Asking the Right Questions to Break the Kill Chain 

Avatar photo
Post author:Written By

I read a lot, and I love reading good crime fiction. One thing I’ve learned, which may even be true, is that, in the courtroom, you don’t ask a question if you don’t already know the answer. The corollary, which will be familiar to anyone who’s raised teenagers, is that sometimes you don’t want to know the answer, in which case you also shouldn’t ask. Based on what I see going on, I suspect a lot of enterprise administrators believe in this principle when it comes to security, but I’m here to assert loudly that you do want to ask questions because you do need the answers. You can’t protect what you don’t understand. 

What’s a Kill Chain? 

Let me give you a real-world example. Earlier this year, Microsoft highlighted an attack that is now called “Mango Sandworm” (for another time: why the hell do these serious threats have such ridiculous names?!). That attack depended on a misconfiguration in Azure AD Connect, the kind of thing that a good automated scanning tool might be able to detect and report. But the initial misconfiguration was just the first step that the attackers had to take. Lockheed Martin popularized the concept of a “kill chain” in information security. This was meant as a way to map the escalating steps of an attack (beginning with reconnaissance, then weaponization, then delivery, then exploitation, and so on). However, for our purposes, it’s more interesting to think of an attack path—the set of steps that the attacker must execute to achieve their objective. The terms “attack path” and “kill chain” have become roughly synonymous, but I like “chain” better because of the obvious real-world metaphor: as with any other chain, breaking one or more links of the chain renders it useless. Most of the time, the chain will have multiple elements, some of which may be extremely difficult to exploit; disrupting any link in the chain either blocks the attacker completely or forces them to make or find new links in the chain. The more frequently you can break kill-chain links, the more secure your environment will be. Before you can do that, though, you must know what the links are

Hybrid is a Common Link 

In the Mango Sandworm attack, the attackers built a chain that let them start by gaining entry to an on-premises network, then chained from there into Azure and started destroying stuff. However, it turns out that you can build a similar chain in the other direction, starting from Azure AD and going back into the on-premises network. Security researcher Dirk-jan Mollema recently showed how to do this by abusing a feature of Azure AD known as cloud Kerberos trust. His article outlines the required kill chain in detail, and I encourage you to read it because, even if some of the technical details are over your head, the article does a great job of describing how the links in the chain build on each other. 

So that’s two different attacks, in two different directions, that both depend on hybrid directory connectivity. Guess what?! There are others! This one involves exploiting password sync policies to steal password hashes, and this one takes advantage of AD permissions that control who can add new computers to a domain. There are lots of kill chains documented that include key links based on hybrid directory configurations… and those are just the ones that are publicly documented, not the esoteric ones known only to spy agencies. 

The Microsoft 365 Kill Chain and Attack Path Management

An effective cybersecurity strategy requires a clear and comprehensive understanding of how attacks unfold. Read this whitepaper to get the expert insight you need to defend your organization!

Learn More

Breaking the Chain 101 

You can’t disrupt a chain if you can’t identify the links. There are a few easily-identified category links: any account with privileges is an obvious link in the chain since an attacker will need to get access to that account. Any account that’s exempt from your authentication policies (whether for MFA or conditional access) is another potential link. Devices or applications that run known-vulnerable versions of the software are another. Just by hardening these three areas, you can improve your organization’s resistance against many chained attacks. So the first question you should be asking is, “Have I taken appropriate measures in these three categories?” If you aren’t certain of the answer, you should assume the answer is “no” and proceed accordingly. 

More Advanced Chain-Breaking 

Honesty forces me to admit that most of us, me included, don’t, and never will, have the level of detailed awareness of Azure AD sync behavior or the permissions assigned to various weirdo service accounts that the researchers who found the kill chains I linked to have. That’s OK. As it turns out, there are some automated tools and services that you can use to help you identify potential chains and disrupt them. 

Perhaps the best known is SpectreOps’ Bloodhound family of tools. These tools offer what SpectreOps calls “attack-path mapping,” meaning that the Bloodhound tool analyzes your environment by looking for vulnerabilities in accounts and devices, then using what it finds to build a map of how an attacker might be able to chain together different vulnerabilities, and what they might be able to compromise if they succeed. You can think of this as akin to a graphic diagram showing possible moves in a chess game: “If my opponent does this and I respond by doing that, then she can do this, and I’ll respond by…” Because it’s based on inspecting your network, though, the attack path data is accurate and actionable. 

Microsoft also has some tools that potentially help with chain-breaking. Sentinel, for example, is a really useful tool for identifying potential vulnerabilities if you know what to look for. You can use Sentinel to identify specific accounts, permissions, software patch levels, and other attributes in your network to pinpoint potential weaknesses. However, this is a little more challenging since the data you get out will only be as useful as the queries you put in.  

The threat hunting tools in Defender sound like they’d be really useful just based on their names—but the unfortunate truth is that threat-hunting is how you look for cyber threats that are already in your network. This is important because if you catch them early, you can still break the chain. For example, if you find malware being used by an attacker for reconnaissance, and you block and remove it, you prevent the attacker from moving on to the “weaponization” stage of Lockheed’s kill chain model. 

There’s No Substitute for Nosiness 

My very first Practical Protection column highlighted the importance of tuning in to the security community and watching for indications of new threats or active attacks. However, you need to couple that awareness with a willingness to poke around in your own environments and ask lots of questions: what is this account for? Do we need it? Are these permissions appropriate for the way our network works today? The more of these kinds of questions you ask, the more the answers you get will help you improve your overall security posture.  

Tags: , , ,

About the Author

Paul Robichaux

Paul Robichaux, an Office Apps and Services MVP since 2002, works as the senior director of product management at Keepit, spending his time helping to make awesome data protection solutions for the multi-cloud world we’re all living in. Paul's unique background includes stints writing Space Shuttle payload software in FORTRAN, developing cryptographic software for the US National Security Agency, helping giant companies deploy Office 365 to their worldwide users, and writing about and presenting on Microsoft’s software and server products. Paul’s an avid (but slow) triathlete, an instrument-rated private pilot, and an occasional blogger (at http://www.paulrobichaux.com) and Tweeter (@paulrobichaux).

Leave a Reply