Politecnico di Torino (logo)

Zero Trust Model: Study of emerging threats, definition of potential identity-based attack scenarios and countermeasures in an Azure Active Directory environment

Angelo Oscar Piccirillo

Zero Trust Model: Study of emerging threats, definition of potential identity-based attack scenarios and countermeasures in an Azure Active Directory environment.

Rel. Antonio Lioy, Bruno Sicchieri. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022


In most recent years, Zero Trust model is gaining significant traction in the cybersecurity sphere. The tendency is to migrate from a perimeter-based approach to a perimeter-less one. This trend has been accelerated also by the Covid-19 pandemic which led companies to face the problem of handling the employees connecting from all over the globe. This phenomenon has made the presence of a trusted organisational perimeter useless. The present thesis work aims to analyse, inside a Zero Trust environment, which are the cyber-threats, define potential identity-based attack scenarios, and provide possible countermeasures in line with this model. In the initial part of the thesis most relevant principles of the Zero Trust have been analysed along with a technical description of the cloud platform used to implement it in this work: Azure Active Directory. The subsequent chapters were focused on the attack scenarios. The adoption of this security model has as central point the adoption of Multi-Factor Authentication (MFA) techniques. Consequently, the target of attackers is also changing, moving from stealing the user credentials to taking possession of the session once the authentication process has come to end. The attacks implemented in this work are centred on this concept in a Microsoft Azure cloud environment. They had been categorised in three classes, Single-Sign On (SSO) schema abusing, phishing attacks, and workload identities misconfiguration instances. The first category explores how an attacker can steal the authentication token used in the SSO Azure implementation. Starting from a known attack scenario, called Pass-The-PRT, an enhanced version of the latter has been developed in order to suppress its shortcomings. The second class explores two phishing scenarios, both related to OAuth 2.0. The first leverages on the device code flow, while the second on the authorisation code flow. Finally, the last category explores situations in which the least privilege principle (fundamental in a Zero Trust strategy) is not respected, leading to privilege escalation and unauthorised access to protected resources. In the last part of the thesis some possible countermeasures are proposed, in line to a Zero Trust Architecture, to counteract the analysed attack scenarios.

Relators: Antonio Lioy, Bruno Sicchieri
Academic year: 2022/23
Publication type: Electronic
Number of Pages: 93
Additional Information: Tesi secretata. Fulltext non presente
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: MSC Technology Italia
URI: http://webthesis.biblio.polito.it/id/eprint/25613
Modify record (reserved for operators) Modify record (reserved for operators)