Community Disservice Part Two: Mitigating Modern Human-Centric Intrusions

In our previous analysis of "The Com" ecosystem, we explored how these threat actors combine aggressive social engineering with advanced technical capabilities to compromise enterprise environments. Building on that foundation, this second blog post provides comprehensive mitigation strategies designed to defend against these human-centric attack methods. 

While defending against threats of this variety requires significant effort, implementing these layered defences will substantially reduce your organisation's exposure to all variety of determined and capable threat actors. 

Practical Mitigations 

Identity and Authentication Hardening 

• Implement phishing-resistant MFA across all accounts: Deploy FIDO2 security keys or Windows Hello for Business, prioritising high-privilege accounts first. These solutions resist the token theft and MFA fatigue techniques commonly employed. Configure authentication policies to reject legacy authentication methods entirely and block SMS/voice call authentication through authentication method policies. 

• Restrict MFA registration to trusted locations only: Configure conditional access policies to limit MFA device enrolment and modification to corporate networks and trusted IP ranges. Prevent attackers from registering their own devices during compromise attempts. For suspected compromises, temporarily disable self-service MFA resets and route all changes through enhanced manual verification processes. 

• Deploy comprehensive risk-based authentication and identity protection: Implement dynamic access controls that adjust requirements based on user behaviour, device, and location. Configure policies to flag unusual activity like logins from unknown locations or residential IP ranges to prevent breaches before they escalate. Enable Entra ID Protection with risk-based conditional access that blocks high-risk sign-ins entirely and requires reauthentication for medium-risk events. 

• Reduce authentication token lifetimes: Configure conditional access policies to limit session durations to 4-8 hours for privileged accounts and 8-12 hours for standard users. While this increases authentication frequency, it significantly reduces the window of opportunity for stolen tokens. While still in preview, Token Protection cryptographically binds tokens to devices, preventing their replay on attacker devices. 

• Deploy continuous access evaluation: Enable real-time session evaluation that can revoke access based on risk signals, including impossible travel and unfamiliar sign-in properties. Configure automated account disabling for high-risk scenarios and ensure compromised sessions can be terminated immediately upon detection. 

Help Desk Security Controls 

• Implement comprehensive identity verification procedures: Establish mandatory callback verification requiring help desk staff to terminate inbound calls and initiate callbacks to manager-registered phone numbers in HR systems. Implement video verification using Teams or Zoom for all administrative password reset requests. Train help desk personnel to positively identify employees before modifying security information, requiring on-camera verification, ID verification, and challenge/response questions at minimum for privileged accounts. 

• Avoid reliance on publicly available personal data for verification: Do not use information like date of birth or drivers license numbers that threat actors commonly possess. Use internal-only knowledge or real-time presence verification when possible. Implement technical controls that require operators to enter validation information without displaying correct answers. 

• Implement manager approval workflows: Configure ITSM platforms like ServiceNow to require managerial approval for password resets and MFA changes on privileged accounts. Deploy honeypot accounts that trigger immediate security alerts when password reset is attempted. Create automated alerts for multiple password reset attempts within 24 hours for the same user. 

• Record and monitor all help desk interactions: Maintain recordings of all password reset and MFA change requests. Conduct immediate reviews of high-privilege account changes and weekly sampling of standard user changes. Create high-priority SIEM alerts for sensitive action requests and log all help desk calls for audit purposes. 

• Implement enhanced verification for sensitive requests: Require out-of-band verification for high-risk changes, such as callbacks to registered numbers or confirmation via known corporate email before proceeding. Temporarily disable self-service password reset methods during suspected compromise incidents. 

Administrative Account Management 

• Implement complete privileged access workstation (PAW) isolation: Deploy dedicated, hardened workstations for all administrative activities. These systems should have no internet access, run application allowlisting, and connect only to administrative network segments. Configure conditional access or user rights assignment to block tier-0 administrative accounts from authenticating from anywhere except PAWs or hardened jumpboxes. 

• Separate cloud and on-premises administrative roles: Create distinct accounts for Azure/AWS administration that have no permissions in on-premises Active Directory. Configure administrative units in Entra ID to prevent help desk staff from modifying Global Administrator or Privileged Role Administrator accounts. 

• Deploy just-in-time administrative access with comprehensive Azure management restrictions: Implement Azure Privileged Identity Management with maximum elevation periods of 4 hours and mandatory business justification for all activations. Configure approval requirements for Global Administrator activations and restrict service principal creation to specific administrative roles. Establish separate break-glass accounts with physical FIDO2 keys stored in secure locations. 

• Eliminate standing domain admin privileges: Few accounts should possess permanent domain admin rights. Create specific role groups for discrete administrative tasks and assign minimum necessary permissions. Disable self-service password reset for all administrative accounts and implement 24-hour cooling-off periods between password resets and MFA device changes. 

• Unbind virtualisation infrastructure authentication from centralised identity providers: Create local administrator accounts for ESXi hosts and vCenter servers with long, complex passwords not stored in organisational password management systems. Enforce MFA for all administrative access to virtualisation platforms. 

Application Controls and Remote Access Management 

• Implement comprehensive application allowlisting across all systems: Deploy application controls such as Windows Defender Application Control or ThreatLocker to manage and control execution of software, including allowlisting remote access programs and preventing unauthorised kernel driver loading. Configure alerts that fire immediately when tamper attempts occur and maintain an approved software inventory with alerts on any deviations. 

• Audit and control remote access tools: Review logs for execution of remote access software to detect abnormal use of programs running as portable executables. Require authorised remote access solutions to be used only from within your network over approved VPN connections. Block both inbound and outbound connections on common remote access software ports and protocols at the network perimeter. 

• Monitor for unauthorised remote access installations: Use security software to detect instances of remote access software being loaded only in memory. Create alerts for installation of tools like TeamViewer, AnyDesk, ScreenConnect, and other RMM solutions not explicitly approved for use. 

Network Segmentation and Access Control 

• Isolate virtualisation management networks: Place all ESXi hosts, vCenter servers, and backup infrastructure on dedicated network segments with no direct internet access. Configure VMware vCenter alarms for configuration changes, snapshot creation, and new VM deployment. Require jump box access with MFA for all connections to these critical infrastructure components. 

• Block residential IP and anonymisation services: Configure conditional access policies using named locations to block authentication from residential ISP ranges, commercial VPN providers, TOR exit nodes, and known anonymisation services. Deploy network controls to limit or block connections to proxy services and VPN providers at the firewall level. 

• Deploy east-west traffic inspection: Implement internal firewalls or microsegmentation to monitor and control lateral movement. Configure policies that alert on unusual connection patterns and deploy Microsoft Defender for Identity on all domain controllers with automated response actions for detected attacks. 

• Restrict access to trusted service infrastructure: Limit access to management interfaces for asset management tools, network devices, virtualisation platforms, backup technologies, security tooling, and PAM systems to originate only from internal hardened network segments or PAWs. 

Social Engineering Awareness and Training 

• Conduct comprehensive social engineering awareness training: Train all users, especially IT and help desk personnel, to recognise phone-based social engineering attacks where callers impersonate employees requesting password resets or MFA changes. Include training on SMS phishing messages claiming to be from IT requesting software downloads or credential verification. 

• Implement voice-based attack recognition training: Educate staff about tactics like MFA fatigue attacks, doxxing threats, and aggressive language designed to scare users into compliance. Ensure employees understand to reject unexpected MFA prompts and report such activity immediately. 

• Train recognition of collaboration platform impersonation: Educate users to verify unusual chat messages in Microsoft Teams, Slack or other platforms where attackers pose as internal IT support. Implement policies to verify communications requesting credentials or system access through established channels. 

• Conduct regular testing of help desk procedures: Perform red and purple team exercises specifically simulating social engineering resistance, help desk procedures, and token theft scenarios that reflect current threat intelligence. 

Cloud Security Hardening 

• Monitor service principal and application usage: Deploy Microsoft Purview with OAuth app governance to prevent users from consenting to applications that can access email. Create alerts for new service principal creation, consent grants, and unusual application access patterns. Configure Azure AD to prevent users from consenting to applications and require administrative approval for all OAuth integrations. 

• Monitor for domain federation abuse: Check domain names registered in the Entra ID tenant, paying particular attention to domains marked as Federated. Review federation configuration to ensure correctness and monitor for creation of new domains within the tenant and changes to authentication methods. Alert on any changes to federation settings, conditional access policies, or named locations. 

Endpoint Protection and Monitoring 

• Deploy tamper protection on all security agents: Enable Windows Defender Tamper Protection to prevent administrative users from disabling security software. This directly mitigates BYOVD attacks that actors use to disable security controls and prevents execution of non-approved binaries on servers. 

• Enable comprehensive PowerShell logging: Configure script block logging, module logging, and transcription on all systems. Forward these logs to central collection points that standard administrators cannot modify. Create detection rules for encoded commands, process injection attempts, and scheduled task creation. 

• Deploy deception technologies: Implement honeypot file shares and canary tokens to detect unauthorised access attempts and create high-priority alerts for deception technology interactions. 

Data Protection and Backup Security 

• Implement immutable backup solutions: Deploy backup systems supporting write-once-read-many (WORM) storage with 30-day minimum retention periods exceeding typical ransomware dwell times. Configure backup systems with separate, non-federated authentication not tied to primary identity providers. 

• Physically isolate critical backups: Maintain offline backup copies for critical systems in physically separate locations with quarterly restoration testing. Configure storage account firewalls limiting access to corporate IP ranges only and encrypt all backups with keys stored in Azure Key Vault. 

• Secure backup infrastructure access: Use unique and separate credentials for accessing and managing backup infrastructure, with MFA enforcement for all accounts. Ensure backup servers are isolated from production environments and reside within dedicated networks. 

• Deploy Microsoft Purview for comprehensive data protection: Implement Microsoft Purview Information Protection to classify and label sensitive data across SharePoint, OneDrive, Exchange, and other data repositories. Configure automated classification policies to identify and protect high-value data that threat actors commonly target, including financial records, customer data, and intellectual property. Deploy data loss prevention policies to prevent unauthorised data exfiltration and monitor for unusual data access patterns that may indicate compromise. 

Email Security Configuration 

• Block auto-forwarding to external recipients: Configure Exchange Online to prevent automatic forwarding outside the organisation and create alerts for any attempts to configure such rules. Monitor for email forwarding rules specifically targeting security vendor domains to detect actor reconnaissance activities. 

• Monitor for suspicious email rules: Create alerts for email rules that delete messages, especially those filtering security vendor communications. Implement automated detection for rules that redirect emails intended for compromised users to external addresses. 

• Enable enhanced filtering for high-risk users: Configure Microsoft Defender for Office 365 to apply strictest filtering to accounts with administrative privileges. Deploy Microsoft Defender for Cloud Apps with anomaly detection policies to identify unusual access patterns. 

Incident Response Preparedness 

• Establish out-of-band communication channels: Maintain communication methods using Signal or separate collaboration tenants that do not rely on corporate email or collaboration platforms. Create isolated administrative accounts in a separate Entra ID tenant specifically for incident response activities, as threat actors commonly monitor incident response communications. 

• Document critical configurations offline: Maintain physical copies of critical system configurations, network diagrams, and recovery procedures. These documents should be stored securely but remain accessible during a complete infrastructure compromise. 

• Pre-stage incident response tools: Deploy forensic and recovery tools to secure jump boxes isolated from normal administrative access. Establish relationships with incident response firms before incidents occur and ensure tools include offline password reset utilities. 

• Conduct ransomware-specific tabletop exercises: Run quarterly exercises simulating complete compromise scenarios these actors typically achieve. Include scenarios where threat actors monitor incident response communications and adapt their tactics in real-time. 

Continuous Monitoring and Detection 

• Implement comprehensive administrative change monitoring: Monitor for modifications to security product configurations, conditional access policies, MFA device registrations, administrative role assignments, EDR exclusion additions, Windows Defender disablement, and firewall rule modifications. Create high-priority alerts for security product manipulation and the same MFA device being registered across multiple user accounts. 

• Deploy automated secret scanning for code repositories. Implement tools like Gitleaks, TruffleHog, or GitGuardian to continuously scan git repositories and commits for exposed API keys, passwords, certificates, and other sensitive credentials. Configure pre-commit hooks to prevent secrets from entering repositories and establish automated scanning of existing codebases, including historical commits. 

• Track authentication anomalies aggressively: Tune SIEM rules to surface unusual authentication patterns, including authentication from infrequent locations and proxy/VPN service providers. Deploy Azure Sentinel with Microsoft's Fusion ML detections and entity behavior analytics to identify lingering threat actor persistence. 

• Monitor underground forums and paste sites: Establish processes to monitor for leaked credentials, session tokens, and sensitive data that could facilitate initial access. Many breaches begin with credentials purchased from underground marketplaces. 

• Audit third-party access quarterly: Review all vendor accounts, service principals, and partner access for continued business need. These external access points often receive less scrutiny but provide equivalent access to internal accounts. 

Understand What’s Next 

Defending against threats of this variety is by no means straightforward – there’s clearly a lot involved. If you’d like to better understand how to prioritise and implement your mitigation plan, please reach out to us to book a call. 

Resources 

The following posts have been instrumental in helping us to form this blog series, and we’d encourage you to show them your support: 

• Microsoft: Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction, Protecting customers from Octo Tempest attacks across multiple industries 

• Unit 42: Threat Group Assessment: Muddled Libra 

• CrowdStrike: Scattered Spider Escalate Attacks Across Industries 

• Intel471: Targeted Phishing Linked to 'The Com' Surges 

• Reliaquest: Scattered Spider Targets Tech Companies for Help-Desk Exploitation 
• Praetorian: Helpdesk Telephone Attack: How to Close Process and Technology Gaps 
• Google: Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety