More than three-quarters (78%) of organizations with Microsoft Active Directory (AD) currently do not employ multifactor authentication (MFA) for their user accounts, new telemetry from Microsoft's Azure Active Directory service shows.
The data, published today in Microsoft's new quarterly "Cyber Signals" report, also includes an eye-popping stat about the volume of identity attack attempts: In 2021, Azure Active Directory detected and blocked over 25.6 billion attempts to brute-force user accounts.
"We see, every second, about 580 to 600 password attacks [attempted]," said Microsoft CISO Bret Arsenault in an interview with Dark Reading. "So that means there are about 18 billion every year."
While multifactor authentication, Arsenault noted, is a key defense to protect organizations from cyberattacks – especially ransomware – adoption has been slow, adding that "99.9% of breaches would be prevented if you just implemented MFA."
"When we look at these systems and we see that not everyone has implemented MFA, I think that's one of those things that's most amazing to me is how long it takes those entities to go get [MFA deployed]," he said.
A new study by Okta found that attackers target Microsoft 365 accounts that are not MFA-protected 10 times more or higher than accounts that don't use so-called legacy authentication, or the traditional single-factor password method.
"The conclusion we should draw is that attackers are predominantly targeting Office 365 via legacy protocols," says Brett Winterford, senior director for cybersecurity strategy at Okta. "Why go to the trouble of trying to bypass MFA when there are accounts that only require a username and password?"
AD servers themselves have become a juicy target for cybercriminals. Take ransomware attacks, which feed off stolen credentials that are then used to fan out to encrypt multiple machines in a victim organization.
"Domain controllers [such as AD] are the primary target of ransomware actors. From this one server, the attacker can discover and access every device on the network and very quickly bring an organization to a grinding halt," Winterford says. "We're routinely reading reports of ransomware groups moving from a single compromised account to domain admin in a mere matter of hours."
Properly configuring AD accounts can be difficult for some organizations, Winterford says, and misconfigurations can leave them open to attack.
The move to remote and hybrid work – coupled with a wave in job resignations and moves amid the pandemic – has complicated the management and security of user accounts as well.
The access rights tied to individual identities often change when a user moves to a different group in the company or gets a promotion, for example, notes Omdia analyst Don Tait.
"Thus they require these moves, adds, and changes, which can be managed centrally. But in highly distributed orgs, there may well be delegation to the individual business unit, which means different levels of admin access [that] may cross geographies and time zones," Tait says. "The explosion of digital and hybrid work styles [and] the amount of machine and human identities has increased dramatically. The rapid shift to hybrid work has left many organizations susceptible to cybercrime [that] leveraged identities to gain access."
AD servers also can store personally identifiable information, which could leave an organization in legal peril if the servers were breached, not to mention the financial fallout from ransomware or extortion attacks, he adds.
Arsenault said his team at Microsoft takes a risk-based approach to MFA adoption – one that he summed up in three basic steps: find, fix, and follow up.
First, find potential identity security risks, he said. "Most entities have people who are overpermissioned. See where there's legitimate need to high access – like to an Active Directory server," Arsenault said.
This step entails checking who needs read access to what, for example, and locating areas where there's "oversharing" of data or access, he explains.
"Then the work of MFA is really targeting on risk areas first," meaning for the "fix" phase, Arsenault said. It's not a static process, so he recommends regular follow-up of identity security to ensure no other user access issues emerge.
Microsoft has multiple layers of defense for its AD environment, including MFA and device-hardening, he said. He recommended organizations that have not leveraged them yet at least roll out two-factor/multifactor authentication for end users.
"If you can't start with anything administrative [user identity-wise] ... find who needs to have these elevated privileges," for instance, he explained.
Protecting AD server privileges starts with limiting the number of admins tasked with creating user accounts for a domain, according to Omdia's Tait.
"Ensure that all humans and machines are rooted in strong, nonreputable digital identities," he says. "The proven approach in the market today is with digital certificates."
Meanwhile, Microsoft's new report also shows that the vendor's Defender for Endpoint blocked over 9.6 billion malware infection attempts in 2021, while its Defender for Office 365 saw some 35.7 billion phishing and other malicious email traffic last year. Both data points encompass enterprise and consumer accounts.