-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathIdentityProtection.yaml
164 lines (157 loc) · 7.78 KB
/
IdentityProtection.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
version: 1
ATT&CK version: 8.2
creation date: 03/4/2021
name: Azure AD Identity Protection
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: Azure
tags:
- Credentials
- Azure Active Directory
- Identity
- Microsoft 365 Defender
description: |
Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis.
techniques:
- id: T1078
name: Valid Accounts
technique-scores:
- category: Detect
value: Partial
comments: >-
This control provides partial detection for some of this technique's sub-techniques and
procedure examples resulting in an overall Partial detection score.
- category: Respond
value: Partial
comments: >-
This control provides a response capability that accompanies its detection capability that
can contain and eradicate the impact of this technique. Because this capability varies
between containment (federated accounts) and eradication (cloud accounts) and is only able to
respond to some of this technique's sub-techniques, it has been scored as Partial.
sub-techniques-scores:
- sub-techniques:
- id: T1078.004
name: Cloud Accounts
scores:
- category: Detect
value: Partial
comments: >-
This control provides risk detections that can be used to detect suspicious uses of
valid accounts, e.g.: Anonymous IP address, Atypical travel, Malware linked IP
address, Unfamiliar sign-in properties, etc. Microsoft utilizes machine learning and
heuristic systems to reduce the false positive rate but there will be false positives.
The temporal factor of this control's detection is low because although there are some
real-time detections most are offline detections (multi-day).
- category: Respond
value: Significant
comments: >-
Response Type: Eradication
Supports blocking and resetting the user's credentials based on the detection of a
risky user/sign-in manually and also supports automation via its user and sign-in risk
policies.
- sub-techniques:
- id: T1078.002
name: Domain Accounts
scores:
- category: Detect
value: Partial
comments: >-
When Azure Active Directory (AAD) Federation is configured for a tenant, an adversary
that compromises a domain credential can use it to access (Azure) cloud resources.
Identity Protection supports applying its risk detections (e.g.: Anonymous IP
address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties,
etc.) to federated identities thereby providing detection mitigation for this risk.
Because this detection is specific to an adversary utilizing valid domain credentials
to access cloud resources and does not mitigate the usage of valid domain credentials
to access on-premise resources, this detection has been scored as Partial.
The temporal factor of this control's detection is low because although there are some
real-time detections most are offline detections (multi-day).
- category: Respond
value: Partial
comments: >-
Response Type: Containment
Supports risk detection responses such as blocking a user's access and enforcing MFA.
These responses contain the impact of this sub-technique but do not eradicate it (by
forcing a password reset).
- id: T1606
name: Forge Web Credentials
technique-scores:
- category: Detect
value: Partial
comments: >-
This control can be effective at detecting forged web credentials because it uses
environmental properties (e.g. IP address, device info, etc.) to detect risky users and
sign-ins even when valid credentials are utilized. It provides partial coverage of this
technique's sub-techniques and therefore has been assessed a Partial score.
- category: Respond
value: Partial
comments: >-
Provides Significant response capabilities for one of this technique's sub-techniques
(SAML tokens).
sub-techniques-scores:
- sub-techniques:
- id: T1606.002
name: SAML Tokens
scores:
- category: Detect
value: Partial
comments: >-
This control supports detecting risky sign-ins and users that involve federated users
and therefore can potentially alert on this activity. Not all alert types for this
control support federated accounts therefore the detection coverage for this technique
is partial.
- category: Respond
value: Significant
comments: >-
Response Type: Eradication
Supports blocking and resetting the user's credentials based on the detection of a
risky user/sign-in manually and also supports automation via its user and sign-in risk
policies.
- id: T1110
name: Brute Force
technique-scores:
- category: Detect
value: Minimal
comments: >-
This control provides Minimal detection for one of this technique's sub-techniques while
not providing any detection for the remaining, resulting in a Minimal score.
- category: Respond
value: Minimal
comments: >-
Provides significant response capabilities for one of this technique's sub-techniques
(Password Spray). Due to this capability being specific to one of its sub-techniques and
not its remaining sub-techniques, the coverage score is Minimal resulting in an overall
Minimal score.
sub-techniques-scores:
- sub-techniques:
- id: T1110.003
name: Password Spraying
scores:
- category: Detect
value: Partial
comments: >-
This control specifically provides detection of Password Spray attacks for Azure
Active Directory accounts. Microsoft documentation states that this detection is
based on a machine learning algorithm that has been improved with the latest
improvement yielding a 100 percent increase in recall and 98 percent precision. The
temporal factor for this detection is Partial as its detection is described as offline
(i.e. detections may not show up in reporting for two to twenty-four hours).
- category: Respond
value: Significant
comments: >-
Response Type: Eradication
Supports blocking and resetting the user's credentials based on the detection of a
risky user/sign-in (such as Password Spray attack) manually and also supports
automation via its user and sign-in risk policies.
references:
- >-
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk
- >-
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- >-
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- >-
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328