Pass-Through Authentication Attacks and Countermeasures
Organisations need to protect their information systems (IS) from internal and external threats.
The information security has been described using a CIA triad, i.e., confidentiality, integrity, and availability, since the 1970s (Samonas & Coss, 2014). Confidentiality means protecting information in a way that it can only be accessed by authorised people, integrity that the information can’t be altered without permission, and availability that the information can be accessed when needed (Samonas & Coss, 2014).
Cyber adversaries may attack organisations for various reasons. The attacker’s motivation is crucial to the defence (Parker et al., 2004) and can be curiosity, financial, notoriety, revenge, recreation, ideology, or sexual impulse (Chng et al., 2022). The complexity of information systems has increased in recent years (Benbya et al., 2020), which means more available targets for adversaries. Attacks can be targeted or opportunistic (CompTIA, 2019), and the complexity is likely to give more room for opportunistic attacks.
To keep information systems secured, organisations need to prevent, detect, and recover from cyber attacks (CompTIA, 2019). Prevention refers to securing information systems to minimise the likelihood of successful attacks. Detecting refers to a capability to detect attacks, and recovery to a capability to respond to attacks.
When organisations move from on-premises solutions to cloud services, the absence of physical environment changes the security posture (Kemp, 2018). For instance, Microsoft uses a shared responsibility model to describe the division of responsibility between Microsoft and their ustomers (Microsoft, 2022d). For Software as a Service (SaaS) workloads, customers are responsible for the information, devices, and accounts and identities. As the identity is a crucial part of protecting information systems, the current focus is on protecting users’ identities (Harding, 2013).
The challenge to detect attacks against cloud services is the available data sources. Depending on the service model, cloud providers can be responsible for physical environments, operating systems, network controls, and directory infrastructure. The logs that are gathered from these components are not exposed to customers. Instead, customers need to rely on the logs available for the used service. For instance, Azure Active Directory (Azure AD) provides Sign-ins logs and Audit logs. These logs are available via the Azure portal or Microsoft Graph API for 7 to 30 days, depending on the Azure subscription (Microsoft, 2023a).
Secureworks Taegis is a cloud-native security platform that “gathers and interprets telemetry across your ecosystem, continuously applying advanced analytics to prioritize alerts for more rapid response to the most serious threats first” (Secureworks, 2023b). Taegis XDR is one of the three key components of the Taegis platform. It prevents, detects, and responds to advanced threats with automation and machine learning-based analytics (Secureworks, 2023a). Taegis supports major cloud service providers, including Amazon, Google, and Microsoft. From the Microsoft cloud, Taegis can ingest information from Azure AD Sign-ins and Audit logs and Microsoft security provider alerts (Droski, 2021).
This thesis reports a design science research project conducted to implement Taegis XDR countermeasures for one of the Azure AD authentication options, pass-through authentication (PTA). The research timeline is illustrated in Figure 1. Literature review and research activities took place between March 1 and November 16, 2022. It should be noted that research results have been published before the publication of this thesis in blog posts, GitHub, and non-scientific cyber security conferences. This was done for two reasons. First, cyber security domain in general is changing rapidly and may make publication obsolete in the time of publishing (Edgar & Manz, 2017). Second, and more importantly, the author and the commissioner of the thesis wanted to provide both awareness of and tools to recognise possible active cyber-attacks as soon as it was possible.
The rest of the thesis is organised as follows. The key concepts, research aim, and ethical considerations are discussed in this Section. The previous research is introduced in Section 2 and research methodology in Section 3. The results of the research are presented in Section 4. The thesis is concluded by discussion in Section 5.