Product: MDR for Microsoft 365
Environment: Huntress Platform
Summary: Describes how Microsoft 365 identity isolation is determined by our system, how to create UPN (user principal name) or organization-level exclusions and how to manually isolate a Microsoft 365 UPN.
For hybrid environments where identities are based in an on-premises directory and sync to the cloud, attempts to disable identities on the cloud side are quickly overwritten by sync. Therefore, we are no longer attempting to disable the identities that are synced from on-premises AD. The Huntress Security Operation Center can still revoke existing sessions/log out these identities when sending our incident reports.
The Huntress Security Operation Center (SOC) determines when an "isolation-worthy" incident has occurred. Often these are Critical severity incidents, but not all Critical severity incidents warrant identity isolation. This Huntress managed response action can occur when Huntress has detected an incident indicative of hands on threat actor activity within a partner's Microsoft 365 environment. The current Microsoft 365 user session will be revoked and the UPN will be disabled preventing future logins until re-enabled.
Identity isolation will take effect after a Huntress SOC Analyst sends the incident report for the compromised Microsoft 365 UPN. These users will be un-isolated when the associated incident report is resolved. At any time, account administrators can manually re-enable the Microsoft 365 UPN via the Huntress Portal.
All Huntress accounts are opted into Managed Microsoft 365 Identity Isolation by default.
Benefits of Huntress Managed Identity Isolation
- Compromised Microsoft 365 accounts can lead to Business Email Compromise (BEC) attacks and even sensitive data exfiltration.
- Relying on Huntress's 24 x 7 SOC to disable these compromised accounts is necessary to prevent further compromise and loss when your IT staff are not online to respond.
- These response action can buy your organization invaluable time when determining and implementing remediation actions.
When do we isolate identities?
If authorized in Account Settings, Huntress's SOC team will assess the need for identity isolation based on the potential impact of the cyber attack. If deemed necessary, the user session will be revoked and the UPN will be disabled in the partner's Microsoft environment once a SOC Analyst sends the incident report.
Example Attack Pattern:
- Login from known bad IP address.
- Malicious email forwarding rule set up.
Opting Into Managed Identity Isolation
By default, all Huntress accounts are opted in. Account administrators can opt out of this feature in Account Settings. Microsoft 365 UPNs that are not explicitly excluded in Exclusion Settings will be eligible for identity isolation.
Disabling Managed Microsoft 365 Identity Isolation will prevent Huntress SOC Analysts from thwarting attackers that have compromised user accounts in your Microsoft 365 environment.
** This is not recommended **
If you have a specific Microsoft 365 UPN or an entire organization that you never want isolated, we recommend using Isolation Exclusions.
Automatic Email Rule Disable
In the event that a suspicious rule is detected, we will disable the inbox rule to prevent it from running. This will keep any malicious rules from continuing to run.
Note: Excluding the identity from isolation will also exclude it from having inbox rules automatically disabled.
At this time, the inbox rules will not be re-enabled if an incident report is rejected. These will need to be manually re-enabled.
Identity Isolation Exclusion Settings
Account administrators can exclude entire organizations or individual Microsoft 365 UPNs from Managed Microsoft Identity Isolation. Exclusions should be used sparingly since excluded UPNs are not eligible for isolation. If malicious activity is detected for an excluded UPN, Huntress will not be authorized to revoke the user session and disable the account on your behalf.
You can access Identity Isolation Exclusions by scrolling to the bottom of your Account Settings page (hamburger menu at the top right, then click on Settings).
Note: Partners will be able to manually isolate and un-isolate specific UPNs, regardless of exclusions.
Self Managed Identity Isolation
At any time, partners can isolate/disable and unisolate/enable users from the Microsoft 365 User Overview Page.
Isolate/Disable:
Unisolate/Enable:
Identity Isolation Scenario
A Microsoft 365 user account has been compromised by an attacker.
What actions does Huntress take?
1. Huntress identities a strange login from a suspicious IP address.
2. A SOC analysts correlates this alert with additional telemetry indicative of new email forwarding rules which are marking all inbound emails as read and moving them to the Deleted email folder.
3. An Incident Report is hand crafted by the Huntress analyst to communicate the impact and severity of the events.
4. The report is sent ASAP and the account (Microsoft UPN) is isolated on send.
Resolving the Incident & Re-Enabling the Microsoft UPN
1. The partner can resolve the incident manually or leverage Huntress Assisted Remediations to resolve the incident.
2. When the incident report is Resolved, the account (Microsoft UPN) will automatically be re-enabled.
Filtering Incident Reports by Response Actions
From the Account or Organization Incident Reports table you can filter incidents by Response Actions:
How does Huntress isolate identities?
Huntress uses the Microsoft Graph API to programmatically interact with a partner's Microsoft 365 environment. We leverage Huntress Portal "tasks" (API calls) to revoke user sessions, disable UPNs and delete malicious inbox rules when necessary.
Comments
0 comments
Please sign in to leave a comment.