Cybercriminals are constantly refining their tactics and attack methodologies. With growing threats like session hijacking and credential theft, these aren鈥檛 just buzzwords鈥攖hey鈥檙e real threats that all organizations (regardless of size or industry) can鈥檛 afford to ignore.聽
According to IBM's 2024 X-Force Threat Intelligence Index, the abuse of valid credentials was the top initial access vector in 2023, accounting for 30% of incidents, while session hijacking vulnerabilities were found in 15% of all security misconfigurations identified globally.聽
Session hijacking and credential theft are a big deal. As hackers evolve their methods, organizations must strengthen their defenses and protect their identity attack surface from hackers looking to wreak havoc.聽
At 杏吧传媒, we鈥檝e seen how session hijacking and credential theft are critical vectors that hackers exploit to gain unauthorized access to your business-critical assets. That鈥檚 why the 杏吧传媒 Managed Identity Threat Detection and Response (ITDR)聽team has introduced Unwanted Access, a new capability focused on wrecking hackers by shutting down the primary ways they take over accounts: session hijacking and credential theft.
We鈥檝e taken our partners鈥 input to heart in developing Unwanted Access. We start by analyzing Microsoft 365 events, organizing them into sessions, and then incorporating partner and customer feedback about expected and unauthorized VPNs and locations via Unwanted Access configuration rules. This capability zeroes in on tradecraft in the earlier phases of the attack lifecycle and provides identity isolation to mitigate compromises before they escalate.
There are a few new features and functionalities you can expect to see with Unwanted Access.聽
To give our partners and customers greater configuration control, Unwanted Access rules empower you to tune your environment and help our Security Operations Center (SOC) better baseline your identity behaviors. How does this work? At any time, you can create 鈥淓xpected鈥 and 鈥淯nauthorized鈥 rules for locations and VPNs.聽
For example, if your business is located in the United States and you know that you never anticipate login activity from, say, Egypt, you can create an expected rule for the United States and an unauthorized rule for Egypt.
Once these rules are created, all login activity from the United States would be deemed 鈥渒nown,鈥 and any login activity from Egypt would be considered malicious. Our SOC would send an incident report alerting on the activity.聽
Setting a location or VPN as 鈥淓xpected鈥 doesn't prevent the 杏吧传媒 SOC from seeing login data related to that location or investigating it to see if it seems out of the ordinary. In fact, we evaluate ALL login events for malicious activity, even if expected configuration rules are set for a particular location or VPN. These rules provide contextual information to the SOC and are important in reducing false alerts in your environment.
Unwanted Access rules also apply to VPNs. Confident that you won鈥檛 be logging in from YouShallNotPass VPN? Simply add it to the 鈥淯nauthorized鈥 list.
What鈥檚 more, you鈥檙e able to create Unwanted Access rules for locations or VPNs at the account, organization, or identity level.聽
We鈥檝e also introduced escalations as part of Unwanted Access. Escalations help our SOC gather more information when investigating Unwanted Access login activity. These are not active incidents. Rather, they鈥檙e flags for situations where we need more information to decide on next steps. If we spot a login from an unknown country or VPN, we鈥檒l send an escalation to help determine if it鈥檚 legitimate or unauthorized.聽
For example, a partner has created expected location rules for the United States and Ireland and an unauthorized location rule for Romania. But, we see unknown login activity from France. Because we need more information from the partner to determine if this login activity is malicious, we send an escalation prompting the partner to create an Expected or Unauthorized rule for this location.聽
Escalations are sent via email and PSA, and are available in the 杏吧传媒 portal.
As threats continue to evolve, our new Unwanted Access functionality empowers you to stay one step ahead of cyber threats by proactively addressing session hijacking and credential theft. Our advanced detection and response capabilities give you the ability to customize and tune your security environments to ensure that only authorized users have access to business-critical assets. Plus, Unwanted Access configuration rules and escalations provide clear visibility and control over your Microsoft 365 identity landscape, further empowering you to take charge of your security like never before.
Ready to try Managed ITDR's new Unwanted Access? Sign up for a free trial today.
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
