Might be also good to add to that that NSA released this in response to the SolarWinds events and following breaches.
Thanks for sharing Michael!
------------------------------
Saan Vandendriessche CCSP | CISSP | CRISC
Brussels - Belgium
------------------------------
Original Message:
Sent: Dec 18, 2020 01:28:59 AM
From: Michael Roza
Subject: NSA Detecting Abuse of Authentication Mechanisms
Hi All,
The NSA published Detecting Abuse of Authentication Mechanisms which discusses how malicious cyber actors are abusing trust in federated authentication environments to access protected data. The exploitation occurs after the actors have gained initial access to a victim's on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources. The actors demonstrate two sets of tactics, techniques, and procedures (TTP) for gaining access to the victim
network's cloud resources, often with a particular focus on organizational email.
------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------