Microsoft aims to improve anti-phishing MFA for White House ‘zero trust’ push
Microsoft has laid out some key documents for federal agencies to use as they implement the White House’s ‘zero trust’ goals within the new US cybersecurity strategy.
In January, the Biden Administration released its new cybersecurity strategy following President Biden’s May 2021 executive order (EO 14028), signed in the wake of the SolarWinds software supply chain attack and ransomware attacks on critical infrastructure like Colonial Pipeline.
Core to that strategy are ‘zero trust’ architectures, for which US tech and cybersecurity vendors were canvassed for suggestions by the US National Institute of Standards and Technology (NIST), specifically about how to protect software supply chains from attack. Zero trust assumes breach and that basically nothing should be trusted.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
But even as supply chains are targeted, email phishing remains one of the main methods that attackers use to breach a network, creating the starting point for a later supply chain attack.
In May, it wasn’t known whether Russian intelligence hackers used a targeted email phishing attack to breach SolarWinds’ software build systems. But the attack group, tagged Nobelium by Microsoft, has subsequently relied heavily on credential stuffing, phishing, API abuse, and token theft in attempts to obtain account credentials to victims’ networks.
Despite the onslaught of state-sponsored and criminal attackers targeting work account credentials, Microsoft earlier this month warned that just 22% of customers using Azure Active Directory (AAD) had implemented strong identity authentication, such as multi-factor authentication (MFA). In 2021, Microsoft blocked 25.6 billion AAD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365.
To help protect cross-organization collaboration against phishing, Microsoft this month announced a public preview of cross-tenant access settings for inbound and outbound access when both organizations use AAD, as well as reducing MFA requirements for trusted users across AAD-using organizations.
“Inbound trust settings let you trust the MFA external users perform in their home directories,” Microsoft explains.
Upcoming zero trust capabilities aimed at countering phishing threats for organizations that collaborate with business partners and suppliers include the “ability to enforce phishing-resistant authentication for employees, business partners, and vendors for hybrid and multi-cloud environments.”
Microsoft also plans to boost phishing-resistant MFA support, including in remote desktop protocol (RDP) scenarios. RDP is one of the most common entry points for ransomware attackers.
SEE: Linux malware attacks are on the rise, and businesses aren’t ready for it
Microsoft has previously outlined how its zero trust approach aligns with the NIST’s goal to develop “practical, interoperable approaches” to zero trust architectures. The Cybersecurity and Infrastructure Security Agency (CISA) is also providing agencies with technical support and operational expertise in implementing zero trust. The US government hopes the private sector will also follow the federal government’s lead.
For its government customers, Microsoft has now published five ‘cybersecurity assets’ explaining how to achieve a zero trust architecture from a Microsoft technology perspective. It covers: cloud adoption for Azure; rapid modernization plans; architecture scenarios mapped to NIST standards; a multi-factor authentication (MFA) deployment guide focussing on Azure Active Directory (AAD); and an “interactive guide” on the EO.
It’s mostly a collection of existing documents, blogposts and Microsoft help articles, but it nonetheless provides a central repository for agencies moving to comply with the new federal rules.