Following the SolarWinds Orion-based software attack, Microsoft last month recommended security measures for IT pros to consider.
Microsoft has been compiling a list of tips to identify such attacks at its Microsoft Security Response Center’s Solorigate page.
The articles on security recommendations were mostly written by Alex Weinert, director of identity security at Microsoft. In this article written by Weinert on the Active Directory identity verification process, he says that the resources using SAML tokens should be considered a possible risk. This issue is not specific to a software vendor, he added:
Any resource which trusts a customer’s compromised SAML token signing certificate should be considered at risk. The SAML attack is not specific to any particular identity system or identity vendor you use. It impacts any vendor’s on-premises or cloud identity system, and any resources that depend on industry-standard SAML identity federation. Along with this, Weinert also gave multiple tips to IT pros. He also directed IT pros whose organizations use the Azure AD service, to a workbook that can be used with Azure Monitor solution. He said it can come in really handy to find “indicators of compromise”.