New identity security posture assessments: Riskiest LMPs and Unsecure Account Attributes

%3CLINGO-SUB%20id%3D%22lingo-sub-1491675%22%20slang%3D%22en-US%22%3ENew%20identity%20security%20posture%20assessments%3A%20Riskiest%20LMPs%20and%20Unsecure%20Account%20Attributes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1491675%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20are%20happy%20to%20announce%20two%20new%20Azure%20ATP%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-isp-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eidentity%20security%20posture%26nbsp%3Bassessments%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bfor%20riskiest%20Lateral%20Movement%20Paths%20(LMP)%20and%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eunsecure%20account%20attributes.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20are%20risky%20lateral%20movement%20paths%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAzure%20ATP%20continuously%20monitors%20your%20environment%20to%20identify%26nbsp%3B%3C%2FSPAN%3Esensitive%3CSPAN%3E%26nbsp%3Baccounts%20with%20the%20riskiest%20lateral%20movement%20paths%20that%20expose%20a%20security%20risk%2C%20and%20reports%20on%20these%20accounts%20to%20assist%20you%20in%20managing%20your%20environment.%20Paths%20are%20considered%20risky%20if%20they%20have%20three%20or%20more%20non-sensitive%20accounts%20that%20can%20expose%20the%26nbsp%3B%3C%2FSPAN%3Esensitive%3CSPAN%3E%26nbsp%3Baccount%20to%20credential%20theft%20by%20malicious%20actors.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhy%20should%20I%20be%20concerned%20about%20lateral%20movement%20paths%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EMalicious%20actors%2C%20much%20like%20thieves%2C%20often%20look%20for%20the%20easiest%20and%20quietest%20way%20into%20any%20environment.%20Sensitive%20accounts%20with%20risky%20lateral%20movement%20paths%20are%20windows%20of%20opportunities%20for%20attackers%20and%20can%20expose%20risks.%20For%20example%2C%20the%20riskiest%20paths%20are%20more%20readily%20visible%20to%20attackers%20and%2C%20if%20compromised%2C%20can%20give%20an%20attacker%20access%20to%20your%20organization's%20most%20sensitive%20entities.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20do%20I%20use%20this%20security%20assessment%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CP%3EUse%20the%20report%20table%20to%20discover%20which%20of%20your%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Esensitive%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eaccounts%20have%20risky%20LMPs.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRicky%20Simpson_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22atp-cas-isp-riskiest-lmp-1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F201286i526B1A73DA8B5100%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22atp-cas-isp-riskiest-lmp-1.png%22%20alt%3D%22atp-cas-isp-riskiest-lmp-1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3ETake%20appropriate%20action%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERemove%20the%20entity%20from%20the%20group%20as%20specified%20in%20the%20recommendation.%3C%2FLI%3E%0A%3CLI%3ERemove%20the%20local%20administrator%20permissions%20for%20the%20entity%20from%20the%20device%20specified%20in%20the%20recommendation.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20are%20unsecure%20account%20attributes%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAzure%20ATP%20continuously%20monitors%20your%20environment%20to%20identify%20accounts%20with%20attribute%20values%20that%20expose%20a%20security%20risk%2C%20and%20reports%20on%20these%20accounts%20to%20assist%20you%20in%20protecting%20your%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20risk%20do%20unsecure%20account%20attributes%20pose%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOrganizations%20that%20fail%20to%20secure%20their%20account%20attributes%20leave%20the%20door%20unlocked%20for%20malicious%20actors.%3C%2FP%3E%0A%3CP%3EMalicious%20actors%2C%20much%20like%20thieves%2C%20often%20look%20for%20the%20easiest%20and%20quietest%20way%20into%20any%20environment.%20Accounts%20configured%20with%20unsecure%20attributes%20are%20windows%20of%20opportunities%20for%20attackers%20and%20can%20expose%20risks.%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20if%20the%20attribute%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3EPasswordNotRequired%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eis%20enabled%2C%20an%20attacker%20can%20easy%20access%20to%20the%20account.%20This%20is%20especially%20risky%20if%20the%20account%20has%20privileged%20access%20to%20other%20resources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20do%20I%20use%20this%20security%20assessment%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EUse%20the%20report%20table%20to%20discover%20which%20of%20your%20accounts%20have%20unsecure%20attributes.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CDIV%20id%3D%22tinyMceEditorRicky%20Simpson_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22atp-cas-isp-unsecure-account-attributes-1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F201287i37F4BACC818D1F0B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22atp-cas-isp-unsecure-account-attributes-1.png%22%20alt%3D%22atp-cas-isp-unsecure-account-attributes-1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3ETake%20appropriate%20action%20on%20those%20user%20accounts%20by%20modifying%20or%20removing%20the%20relevant%20attributes.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20these%20new%20assessments%20under%20the%20Identity%20Security%20Posture%20in%20the%20Cloud%20App%20Security%20portal%20(-ERR%3AREF-NOT-FOUND-Azure%20ATP%20integration%26nbsp%3Bmust%20be%20enabled).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20let%20us%20know%20what%20you%20think%20about%20these%20assessments%20in%20the%20comments!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1491675%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20security%20posture%20assessments%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1494986%22%20slang%3D%22en-US%22%3ERe%3A%20New%20identity%20security%20posture%20assessments%3A%20Riskiest%20LMPs%20and%20Unsecure%20Account%20Attributes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1494986%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40087%22%20target%3D%22_blank%22%3E%40Ricky%20Simpson%3C%2FA%3E%20how%20long%20does%20it%20take%20before%20the%20system%20starts%20to%20get%20info%20on%20the%20lateral%20movement%20path%20risk%3F%20would%20I%20be%20correct%20in%20thinking%20there%20is%20some%20learning%20time%20on%20this%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1495332%22%20slang%3D%22en-US%22%3ERe%3A%20New%20identity%20security%20posture%20assessments%3A%20Riskiest%20LMPs%20and%20Unsecure%20Account%20Attributes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1495332%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40087%22%20target%3D%22_blank%22%3E%40Ricky%20Simpson%3C%2FA%3E%26nbsp%3Bcan%20we%20have%20these%20attributes%20in%20Azure%20Sentinel%20as%20well%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1495526%22%20slang%3D%22en-US%22%3ERe%3A%20New%20identity%20security%20posture%20assessments%3A%20Riskiest%20LMPs%20and%20Unsecure%20Account%20Attributes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1495526%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHey%20David%2C%20While%20the%20LMP%20feature%20doesn't%20have%20a%20learning%20period%2C%20it%20does%20rely%20on%20Azure%20ATP%20contacting%20the%20devices%20which%20sensitive%20users%20has%20active%20sessions%20on%20via%20SAMR%20Protocol%2C%20than%20getting%20the%20list%20of%20local%20administrators%20and%20pinging%20their%20devices%20as%20well%2C%20this%20process%20is%20being%20done%20once%20every%2024%20hours%20to%20reduce%20load%20on%20the%20network.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1495529%22%20slang%3D%22en-US%22%3ERe%3A%20New%20identity%20security%20posture%20assessments%3A%20Riskiest%20LMPs%20and%20Unsecure%20Account%20Attributes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1495529%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F712916%22%20target%3D%22_blank%22%3E%40ErikOppedijk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat's%20a%20great%20feedback%2C%20While%20sentinel%20already%20get%20Azure%20ATP%20alerts%2C%20we%20plan%20to%20provide%20these%20lateral%20movement%20activities%20through%20MTP's%20Advanced%20hunting%20feature%20soon%20while%20thinking%20how%20sentinel%20could%20consume%20these%20as%20well%2C%20stay%20tuned.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

 

We are happy to announce two new Azure ATP identity security posture assessments for riskiest Lateral Movement Paths (LMP) and unsecure account attributes.

 

What are risky lateral movement paths?

Azure ATP continuously monitors your environment to identify sensitive accounts with the riskiest lateral movement paths that expose a security risk, and reports on these accounts to assist you in managing your environment. Paths are considered risky if they have three or more non-sensitive accounts that can expose the sensitive account to credential theft by malicious actors.

 

Why should I be concerned about lateral movement paths?

Malicious actors, much like thieves, often look for the easiest and quietest way into any environment. Sensitive accounts with risky lateral movement paths are windows of opportunities for attackers and can expose risks. For example, the riskiest paths are more readily visible to attackers and, if compromised, can give an attacker access to your organization's most sensitive entities.

 

How do I use this security assessment?

 

  1. Use the report table to discover which of your sensitive accounts have risky LMPs. 

     

    atp-cas-isp-riskiest-lmp-1.png

  2. Take appropriate action:

    • Remove the entity from the group as specified in the recommendation.
    • Remove the local administrator permissions for the entity from the device specified in the recommendation.

 

What are unsecure account attributes?

Azure ATP continuously monitors your environment to identify accounts with attribute values that expose a security risk, and reports on these accounts to assist you in protecting your environment.

 

What risk do unsecure account attributes pose?

Organizations that fail to secure their account attributes leave the door unlocked for malicious actors.

Malicious actors, much like thieves, often look for the easiest and quietest way into any environment. Accounts configured with unsecure attributes are windows of opportunities for attackers and can expose risks.

For example, if the attribute PasswordNotRequired is enabled, an attacker can easy access to the account. This is especially risky if the account has privileged access to other resources.

 

How do I use this security assessment?

 

  1. Use the report table to discover which of your accounts have unsecure attributes. 
     

    atp-cas-isp-unsecure-account-attributes-1.png

  2. Take appropriate action on those user accounts by modifying or removing the relevant attributes.

 

You can find these new assessments under the Identity Security Posture in the Cloud App Security portal (Azure ATP integration must be enabled).

 

Please let us know what you think about these assessments in the comments!

4 Replies
Highlighted

Hi @Ricky Simpson how long does it take before the system starts to get info on the lateral movement path risk? would I be correct in thinking there is some learning time on this? 

Highlighted

@Ricky Simpson can we have these attributes in Azure Sentinel as well?

Highlighted

@David Caddick 

Hey David, While the LMP feature doesn't have a learning period, it does rely on Azure ATP contacting the devices which sensitive users has active sessions on via SAMR Protocol, than getting the list of local administrators and pinging their devices as well, this process is being done once every 24 hours to reduce load on the network.

Highlighted

@ErikOppedijk 

That's a great feedback, While sentinel already get Azure ATP alerts, we plan to provide these lateral movement activities through MTP's Advanced hunting feature soon while thinking how sentinel could consume these as well, stay tuned.