As we creep towards 2025, there are some items that are almost inexcusable for major enterprises to have as attack vectors. While we recently spoke about how we think next year is going to go as a whole, there are a few numbers you can lock down for your organization right now — even before the holidays.
Turn Off Device Code Flow
Don’t we all remember those golden days of authenticating our corporate device to the IoT device on the wall? –Wait, we don’t?! Jokes aside, device code flow is used to allow users to “sign in to input-constrained devices such as a smart TV, IoT device, or a printer” [Source]. If this doesn’t immediately apply to you, then think about turning this off in your sprint cycle. Or, if for some reason your organization is “super-unique”, then still strongly consider if this is needed (i.e. you use it weekly).
The brilliant part of this attack is, when initiated, an attacker simply has to coerce a user to login to an official Microsoft portal and get them to enter the code. This can usually be done through some sort of Vishing, or just a carefully crafted phish.
Turning off device code flow is is done by navigating to your Azure Portal and creating a Conditional Access Policy. Nowadays, this is easily done via the Authentication Flows Feature. You can simply block this entire flow! We found a great article here by Cloudbrothers that details how to do it.
Don’t Wait for a Pentester To Catch Certificate Transparency Logs
Time and time again we see attackers catching low-hanging fruit that is usually remediated within a week or two of a test. During any enumeration phase, an attacker (red teamer or threat actor) will go to the gold mine that is Crt.sh. With a friendly interface, an attacker can simply type in your domain and get all the certificate transparency logs for your domain, usually resulting in a GOLDMINE of attack surface.
Type in your domain. I bet there are a number of entries you don’t even need online anymore. Don’t pay your 10-50 thousand dollars on a pentest just for Joe Schmoe the pentester to find dev.alpha2.dont-use-in-prod.site.com and get some weird SQL Injection on it.
Actually Start Blocking Foreign IP Ranges
This one is for all the small to medium sized organizations out there. Most folks do business on a singular country level. Even if they are a worldwide organization, I can bet there are all sorts of attacker addresses you can block out just by doing some IP whitelisting. Most attackers nowadays are originating from Eastern Europe, Iran, North Korea, Russia, and China [Source]. If you are “Joe’s Toolbox Shop USA” — really consider if you need to allow ranges from some of these countries.
Most identity providers like Okta will allow you to whitelist folks based on country [Source]. Other resources like Entra ID allow conditional access by doing actions like blocking access by location [Source].
Plenty To Do
These were just meant to be some quick-wins you can get done before the holidays. Obviously, do whatever low-hanging fruit that best coincides with your posture and risk-appetite. Don’t just start blocking stuff because we told you on our soapbox!
English