Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections...
Transcript of Hacker Explains How Attackers Exploit Office 365 ...€¦ · Security Controls • Core Protections...
How Attackers Exploit Office 365 Vulnerabilities
Hacker Explains
Liam ClearyCEO/OwnerSharePlicity
Russell McDermottSystems EngineerNetwrix Corporation
Agenda
• Office 365 Hacked
• Office 365 Attacks
• Netwrix Auditor Solutions
• Q&A Session
Steps
AttackSimulationExploitation Protection
Is Office 365 Vulnerable?
Yes No
Has Office 365 Been Hacked?
• Office 365 OWA Security Vulnerability – January 2018
– https://community.spiceworks.com/topic/2105786-office-365-owa-security-vulnerability
• Widespread, Brute-Force, Cloud-to-Cloud Attacks Hit Office 365 Users – July 2017
– https://www.skyhighnetworks.com/cloud-security-blog/skyhigh-discovers-a-targeted-brute-force-attack-on-enterprise-customers/
• Microsoft Office 365 hit with massive Cerber ransomware attack – June 2016
– https://www.scmagazine.com/microsoft-office-365-hit-with-massive-cerber-ransomware-attack-report/article/529295/
Office 365 Breach Flow
Login & Access Service AccessFile
DownloadsSite Traversal
Mail AccessMail RulesCreate / Read
/ Update / Delete
API Access
Exploitation
Exploiting Office 365
Phishing Brute-forcePassword
MaliciousURLs
*MFA bypass
* https://twitter.com/rkalember/status/1017082306853392384
Brute-force Password
Identify web formparameters
Intercept trafficusing Proxy
Retrieve badresponse
Construct commandfor Brute-force
Malicious URLs
<!DOCTYPE html>
<html lang=“en”>
<head></head>
<body>
Click the Malicious<a href=“https://bit.ly/malicious”>link</a>
</body>
</html>
<!DOCTYPE html>
<html lang=“en”>
<head>
<base href=“https://bit.ly”>
</head>
<body>
Click the Malicious<a href=“malicious”>link</a>
</body>
</html>
Attack Simulation
Why Simulate an Attack?
People are theweakest link
Test currentsystems
End-usertraining
Attack Simulation Prerequisites
• Office 365 License that includes Office 365 Threat Intelligenceo Can be purchased as a separate add-on
• Utilize Exchange Online
• Assigned as Global Administratoro If not Global Administrator, specific permissions to Security & Compliance Center
• Enabled Multi-Factor Authentication for Office 365 Users
Attack Simulation Types
Spear-phishing(Credential Harvesting)
Password-spray Brute-force Password(Dictionary Attack)
Office 365Attack Simulator
Protection
What Does Microsoft Provide?
Identity and accessmanagement
Threatprotection
Informationprotection
Securitymanagement
Security Graph
Risk Assessment
• Identify and define Office 365 scoped services
• Review existing Security documentation and guidance
• Gather existing configuration and security data
• Review assessment data, define risks and actions
• Define current Security posture based on assessment
• Perform remedial actions, based on assessment results and guidance
Security Controls
• Core Protectionso Exchange Online Protection
o Exchange Advanced Threat Protection
o Advanced Security Management / Cloud App Security
o Threat Intelligence
o Advanced Data Governance
o Azure Active Directory Authentication
o Multi-factor Authentication
o Office 365 Secure Score
o Conditional Access
o Mobile Device Management
• Content Protectionso Information Rights Management
o Azure Information Protection
o Data Loss Prevention
Takeaways
Takeaways
• Office 365 License that includes Office 365 Threat Intelligence
• Enabled Multi-Factor Authentication for Office 365 Users
• Execute Attack Simulator
• Enable ALL or AS MANY Security controls as possible
• Provide End User Training
Demonstration
Netwrix Auditor
Netwrix Auditor for Office 365
Netwrix Auditor for Active Directory
Netwrix Auditor for Windows File Servers
Netwrix Auditor for Windows Server
Netwrix Auditor for Exchange
Netwrix Auditor for SQL Server
Netwrix Auditor for SharePoint
Netwrix Auditor for NetApp
Netwrix Auditor for EMC
Netwrix Auditor for VMware
Netwrix Auditor Platform
Netwrix Auditor for Azure AD
Netwrix Auditor for Oracle Database
Netwrix Auditor Unified Platform
• Exchange Online administrative changes, changes to
mailboxes, mail users, groups, permissions, policies,
and management roles
• Non-owner mailbox access auditing
• SharePoint Online and OneDrive for Business
configuration, security, and content changes, and
data access events
• Changes to Azure AD groups, users, passwords,
roles, applications, service principals, devices,
contacts, and more
• Logon auditing
• Changes to farm configuration, user content and
security, permissions, group membership, security
policies
• Read access auditing
All Exchange Server Changes
Exchange Online Mailbox Permissions Changes
Behavior Anomalies
Interactive Search
Alerts on Suspicious Activity
Alerts on Threat Patterns
Useful links
Online TestDrive: experience Netwrix Auditor with no download or installation required
https://www.netwrix.com/browser_demo.html
Live One-to-One Demo: product tour with Netwrix expert
netwrix.com/livedemo
Contact Sales to obtain more information: netwrix.com/contactsales
Webinars: join our upcoming webinars and watch the recorded sessions
• netwrix.com/webinars
• netwrix.com/webinars#featured
Questions?
www. .com
Thank you!
Liam ClearyCEO/OwnerSharePlicity
Russell McDermottSystems EngineerNetwrix Corporation