Blog Post

Microsoft Defender for Cloud Blog
5 MIN READ

Announcing Microsoft Defender for Cloud capabilities to counter identity-based supply chain attacks

Hagai_Kestenberg's avatar
Jul 17, 2023

In recent years, cloud identity-related security issues in supply chain attacks have gained significant attention.

A supply chain attack occurs when attackers infiltrate a target organization by gaining access to its trusted suppliers or third-party service providers.

 

Although supply chain attacks are not exclusive to the cloud environment, the advent of cloud computing has introduced unique considerations and risks to this type of attack.

 

As opposed to a software supply chain attack (when an attacker gains access to third-party vendor software), like the SolarWinds attack, the type of supply chain attacks we are referring to here doesn't occur from third-party software that's installed in your environment, but instead, it occurs from granting delegated permissions to your cloud environment.

Supply chain attacks often arise when delegated permissions are granted excessively to third-party service providers, referred to as “service providers” throughout this blog.

 

Since many organizations opt for third-party service providers to manage their cloud environment due to the advantages of specialized expertise, cost savings, scalability, enhanced security, and the ability to focus on core business objectives, attackers and threat actors have begun to target those service providers and utilize a new type of supply chain attack that is unique to the cloud - identity-based supply chain attacks.

 

In this blog, we will demonstrate the mechanisms of identity-based supply chain attacks in the cloud and discuss how service providers’ cloud access can be used by attackers for identity-based supply chain attacks.

We will also show how a new alert enrichment in Microsoft Defender for Cloud can help to detect and remediate those threats. Microsoft Defender for Cloud is the main product of Microsoft’s cloud-native application protection platform (CNAPP).

 

Service providers access in Azure

In Azure, there are several solutions that are designed for granting service providers delegated access to their customers’ environment in a secure way:

  • Azure Lighthouse – Azure Lighthouse is a management platform that empowers service providers to gain access efficiently and securely to their customers' Azure environments. It enables service providers to deliver managed services to multiple customers from a single, centralized interface and enables Customers maintain control over who has access to their tenant, which resources they can access, and what actions can be taken.

 

  • Microsoft Partner Center - Microsoft Partner Center provides invaluable features like Delegated Administration Privileges (DAP) and Granular Delegated Administration Privileges (GDAP) to Cloud Solution Providers (CSPs), enabling them to gain access to their customers' environments and manage them on their behalf.

Learn more about Azure Lighthouse and the Cloud Solution Provider program capabilities and differences.

 

The mechanism of cloud identity-based supply chain attack

Because many organizations rely on service providers for various aspects of their environment, and a single service provider account can have access to multiple customers environments, often with excessive permissions, threat actors see those service providers accounts as high value targets.

 

With a service provider user account, threat actors can utilize this vector to infiltrate multiple organizations with a high permission user.

With a broad set of permissions, the attackers can collect data, abuse cloud resources, and perform any kind of malicious activity on the customers’ environments.

One of the most known being threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple service providers.

 

To demonstrate an identity-based supply chain attack, let’s show an example scenario - the example refers to service providers using Azure Lighthouse to manage their customers’ environments.

In such a scenario, an example of an identity-based supply chain attack would include the following steps:

  • An attacker compromises a service provider's user account.
  • By checking the Lighthouse “customers”, the attackers can see they have the “Contributor” role over 3 different customers’ subscriptions.
  • Now, the attackers can use the delegated access they have to access the service provider customers’ subscriptions and enable further attacks or access targeted systems and sensitive data.

 

This simple example of the attack flow emphasizes the reason service providers are highly targeted by threat actors and the need for proper security mechanisms for both the service provider and their customers.

 

Announcing a new enrichment to help with detection

In order to reduce the risk of identity-based supply chain attacks, we recommend following the security best practices for both Partner Center and Azure Lighthouse.

By implementing those security mechanisms and following the principle of least privilege, organizations could minimize the risk of getting attacked from 3rd party vendors and service providers.

Another key point for reducing identity-based supply chain attacks is creating visibility for the operations those users with delegated access do in their customers environment.

 

By analyzing control plane operations, a new capability in Microsoft Defender for Cloud can now identify operations made by those service providers with “delegated access”, to differentiate those actions from member users, and provide this information in a form of new enrichment for Azure Resource Manager alerts.

This new enrichment, that also includes customized description and remediation steps, could help security teams to prioritize and differentiate those alerts triggered with “delegated access”, in order to mitigate those attacks in their first steps.

Back to the identity-based supply chain attack example above – let’s say the attackers, with the service provider compromised user account, are using TOR browser when interacting with the customers subscriptions, in order to hide their source IP address.

With the new “delegated access” enrichment, the attacker’s activity will now trigger this alert to the customer:

 

As mentioned in the alert description, the delegated access refers to access via Azure Lighthouse or via Microsoft Partner Center.

 

 

We can see that the remediation steps also include customized steps, that are different from the original alert remediation steps that would be triggered by a user without delegated access.

With this information and customized “take action” steps, security teams can focus on investigating the service provider user accounts and their actions, with all the information they need to effectively address and mitigate the threat.

 

Conclusions

Cloud identity issues lead to the rise of cloud supply chain attacks.
By leveraging Microsoft Defender for Cloud capabilities, organizations can strengthen their defenses and safeguard their critical assets from the evolving landscape of cloud-based threats.

 

Additional Resources

Updated Jul 17, 2023
Version 1.0
  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    Thanks, but I'm a little confused, are you recommending that the Service Provider enable the Defender for Resource Manager in their tenant or that they enable it in each of their customers tenants? I think its the latter, but its not very clear from the article.

  • Hi Dean_Gross,

    This new enrichment is for the customers of the service providers, therefore the Defender for Resource Manage should be enabled at the customers subscriptions.