Most organizations have invested heavily in perimeter defense, but the reality is that 90 percent of organizations feel vulnerable to insider attacks. An employee stealing intellectual property to take to a new job or a fat-fingered administrator making a critical configuration error are examples of breaches caused by some- one inside the network. Often, an outside attacker takes over a legitimate account: Microsoft has reported that, every day, 95 million Active Directory (AD) accounts and 10 million Azure AD accounts are the target of cyberattacks.
The primary vector has now shifted from direct attack on a compute resource to theft of user credentials, often by means of a phishing attack. Once a user’s credentials are obtained, the attacker has access to a workstation on which to run soft- ware that captures the credentials of other accounts. Preferred targets are service accounts and Domain Administrator accounts, allowing the attacker to traverse the infrastructure horizontally and vertically.
This paper examines how the United States Federal Government and Microsoft have responded to the increasingly pervasive insider threat. It also describes the Quest management tools with which to protect Active Directory, Azure Active Directory and Office 365 users and resources.