Entra ID

Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), is a cloud-based identity and access management (IAM) service. It provides a comprehensive solution for managing user identities and controlling access to resources, applications, and data. In the context of cybersecurity, Entra ID is a critical component for a modern security strategy, acting as a gatekeeper to prevent unauthorized access and mitigate cyber threats.

Key Cybersecurity Features

Entra ID helps organizations implement a Zero Trust security model, which operates on the principle of "never trust, always verify." Here are some of its key features that enhance cybersecurity:

• Multi-Factor Authentication (MFA): Entra ID enables MFA, which requires users to provide two or more verification methods to prove their identity before gaining access. This significantly reduces the risk of password-related breaches.

• Conditional Access: This feature allows administrators to create granular, policy-based access controls. Policies can be based on various factors, such as user location, device status, and real-time risk assessment, to enforce security requirements. For example, a policy could require MFA for users attempting to access sensitive data from an untrusted network.

• Identity Protection: Using machine learning and threat intelligence, Entra ID Protection detects and responds to suspicious activities and potential vulnerabilities. It can identify risky behaviors, such as impossible travel (a user signing in from two geographically distant locations in a short time), or leaked credentials, and automatically trigger a response, such as blocking the sign-in or forcing a password change.

• Single Sign-On (SSO): SSO allows users to access multiple applications with a single set of credentials. This reduces password fatigue and the likelihood of users reusing weak passwords, thereby decreasing the attack surface for an organization.

• Hybrid Identity: For organizations with both on-premises and cloud resources, Entra ID offers tools to synchronize identities. This ensures consistent access policies across the entire environment, providing a unified and secure experience.

ThreatNG, as an external attack surface management solution, helps with Entra ID by providing an outside-in perspective to identify vulnerabilities and risks that could compromise an organization's identity and access management security. Entra ID, a cloud-based identity and access management service, relies on secure configurations and monitoring to protect against threats. ThreatNG complements this by discovering and assessing external exposures that attackers could use to target identities managed by Entra ID.

External Discovery and Assessment

ThreatNG performs external, unauthenticated discovery to find an organization's digital assets and assess their security posture from an attacker's perspective. This process identifies potential entry points that could be used to compromise Entra ID-managed identities.

• Cyber Risk Exposure: ThreatNG's Domain Intelligence module assesses cyber risk by checking for certificates, subdomain headers, vulnerabilities, and sensitive ports. This includes uncovering code repositories and their exposure levels, as well as investigating their contents for sensitive data.

• Mobile App Exposure is also evaluated by discovering mobile apps in marketplaces and examining them for access credentials, security credentials, and platform-specific identifiers. Among the items it looks for are access credentials like the "Amazon AWS Access Key ID" and "AWS API Key," as well as "Google Cloud Platform OAuth".

• Web Application Hijack Susceptibility: ThreatNG analyzes parts of a web application accessible from the outside world to find potential entry points for attackers, using domain intelligence to substantiate its findings.

• Subdomain Takeover Susceptibility: This assessment evaluates a website's susceptibility to subdomain takeovers by analyzing subdomains, DNS records, and SSL certificate statuses.

• BEC & Phishing Susceptibility: ThreatNG uses Domain Intelligence, which includes DNS Intelligence and Email Intelligence capabilities, to identify potential Business Email Compromise (BEC) and phishing risks. Email Intelligence looks at email security presence and format predictions.

• Cloud and SaaS Exposure: ThreatNG discovers both sanctioned and unsanctioned cloud services and Software-as-a-Service (SaaS) solutions. It can also find cloud service impersonations and open, exposed cloud buckets. A key feature here is its ability to identify Azure Active Directory and Microsoft SharePoint instances associated with the organization.

• External GRC Assessment: ThreatNG provides a continuous, outside-in evaluation of an organization's Governance, Risk, and Compliance (GRC) posture. It maps findings to frameworks like PCI DSS and POPIA.

• External Threat Alignment: The assessments align with external threats by identifying vulnerabilities and exposures in a way an attacker would, for example, by mapping findings to MITRE ATT&CK techniques to show how an adversary might gain initial access.

Investigation Modules

ThreatNG's investigation modules provide detailed insights into discovered risks.

• Domain Intelligence: This module gives a domain overview, including Microsoft Entra Identification, and identifies related SwaggerHub instances. It also provides DNS Intelligence (IP identification, vendor and technology identification, domain name permutations, Web3 domains) and Email Intelligence (DMARC, SPF, and DKIM records, format predictions, harvested emails).

• Subdomain Intelligence: This module provides a detailed look at subdomains, including HTTP responses, header analysis (security and deprecated headers), and server headers that reveal technologies. It can identify various services, including Microsoft Azure cloud hosting and SharePoint as a content management system. It also checks for known vulnerabilities and discovers Web Application Firewalls and their vendors.

• Sensitive Code Exposure: This module discovers public code repositories and uncovers digital risks within them. For example, it searches for access credentials like AWS Access Key ID, API keys, and usernames and passwords in URIs. It also looks for various configuration files, including those for Azure services, and system configuration files like potential Linux shadow files.

• Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services, including Azure Active Directory and SharePoint.

• Archived Web Pages: ThreatNG can find archived online pages that contain sensitive information such as admin pages, API files, login pages, and emails.

• Dark Web Presence: The solution monitors for organizational mentions on the dark web, including associated ransomware events and compromised credentials.

Intelligence Repositories (DarCache)

ThreatNG uses a continuously updated set of intelligence repositories, or DarCache, to inform its assessments.

• Compromised Credentials (DarCache Rupture): This repository contains compromised credentials. This is critical for helping an organization understand if its credentials, managed by Entra ID, have been exposed.

• Ransomware Groups and Activities (DarCache Ransomware): This tracks over 70 ransomware gangs and their activities. This information, combined with compromised credentials found on the dark web, helps ThreatNG assess an organization's susceptibility to ransomware attacks.

• Vulnerabilities (DarCache Vulnerability): This repository provides a holistic view of external risks and vulnerabilities. It includes data from NVD, EPSS, and KEV, giving insight into the technical characteristics, likelihood of exploitation, and real-world threats posed by vulnerabilities.

• Mobile Apps (DarCache Mobile): This repository indicates the presence of various access and security credentials within mobile apps, which are discovered in marketplaces like the Amazon Appstore, Google Play, and Apple App Store.

Reporting and Monitoring

ThreatNG provides reports that help organizations act on these findings. This includes executive and technical reports, as well as prioritized reports with risk levels (High, Medium, Low) to help organizations allocate resources effectively. ThreatNG provides continuous monitoring of the external attack surface, digital risk, and security ratings for all organizations.

Complementary Solutions

ThreatNG's capabilities can be used with complementary solutions to enhance security further. For example:

• SIEM/SOAR Solutions: ThreatNG can identify a web server's vulnerabilities, such as an exposed private IP address or sensitive ports. This data can be fed into a Security Information and Event Management (SIEM) or Security Orchestration, Automation, and Response (SOAR) solution to trigger automated responses or create alerts. Suppose ThreatNG discovers compromised credentials on the dark web. In that case, the SIEM can use this information to immediately flag any login attempts with those credentials, especially if they are associated with Entra ID users.

• Vulnerability Management Platforms: While ThreatNG identifies external vulnerabilities, a dedicated vulnerability management platform could use ThreatNG's findings to initiate deeper internal scans, prioritize patching efforts based on the real-world exploitability data from DarCache (EPSS and KEV), and track the remediation process.

• Identity and Access Management (IAM) Solutions: ThreatNG’s discovery of a subdomain with a misconfigured Microsoft Entra ID instance can be used to alert administrators, who can then use their IAM tools to correct the configuration. The discovery of compromised credentials can be used to force a password reset for the affected Entra ID users.

• Cloud Security Posture Management (CSPM): When ThreatNG identifies an open, exposed cloud bucket in Azure, a CSPM can utilize this finding to verify the misconfiguration and provide remediation steps, thereby ensuring the security posture of the cloud environment is maintained.