CISA Intune Hardening After Stryker Hack
Key Questions
What happened in the Stryker hack involving Intune?
Iran-linked Handala hackers gained Global Admin access and used Intune to wipe 200,000 devices. This incident prompted CISA to urge hardening measures like RBAC and MFA.
What does CISA recommend after the Intune incident?
CISA urges role-based access control (RBAC), multi-factor authentication (MFA), certificate authority (CA), Defender pre-enrollment, M365 alerts, and exams like MS-102/MD-102. Additional focus on Entra Connect and Cloud Sync best practices.
What are the risks of Global Admin accounts in Microsoft environments?
Global Admin lockout risks arise from misconfigurations like KMFA deadlocks, affecting services like M365 Business. Propagation issues and sprawl can lead to outages.
What are best practices for Entra Connect and Cloud Sync?
Use Entra Connect for on-prem AD to Entra ID sync with key differences noted, and design Cloud Sync for hybrid environments focusing on RBAC and licensing. Avoid common pitfalls like user creation errors.
How does Microsoft Entra External ID help with security?
Microsoft Entra External ID manages external identities and tenants securely, controlling access in multi-tenant scenarios. It addresses sprawl and outage risks post-incidents like Stryker.
What caused recent Microsoft 365 outages?
Outages stem from sprawl, propagation delays in M365 Business, and configuration issues like RDP end-of-support. Global admin lockouts exacerbate service disruptions.
What certifications prepare for Intune and Entra security?
MS-102 and MD-102 exams cover Microsoft 365 and endpoint admin skills, including security hardening. SC-200 focuses on Security Operations Analyst roles with Defender.
How to mitigate Intune wipe risks like in Stryker?
Implement strict RBAC, MFA everywhere, Defender for pre-enrollment, and M365 alerts. Test data protection rules against business and regulatory needs.
Iran Handala Global Admin wipe via Intune—200k devices; CISA urges RBAC/MFA/CA/Defender pre-enroll/M365 alerts/Entra/MS-102/MD-102; Entra Connect/Cloud Sync hybrid best practices/RBAC/licensing; Global Admin lockout risks; M365 Business propagation; sprawl/outage; RDP EOS; Entra External ID.