Practical Defensive Actions for Organisations

1. Treat Identity as Critical Infrastructure

Protect cloud identity platforms with the same rigor as production systems.
Implement:

• Phishing-resistant MFA (FIDO2/passkeys)
• Strict conditional access policies
• Continuous sign-in monitoring
• Impossible-travel detection
• Token abuse detection
• Privileged role alerts

Identity compromise is often the first step in control plane takeover.

2. Harden and Protect Intune as a Critical Control Plane

Organisations should treat Microsoft Intune as Tier-0 infrastructure, equivalent to domain controllers.

Key protections include:

• Restrict administrative access
• Limit Intune administrative roles to dedicated security personnel
• Use separate admin identities (never daily-use accounts)
• Enforce phishing-resistant MFA
• Use hardened administrative workstations

Require administrators to manage Intune only from:

• Privileged Access Workstations (PAWs)
• Hardened, monitored devices
• Isolated admin environments

This prevents attackers from hijacking admin sessions from compromised endpoints.

Monitor for high-risk Intune actions

Alert on:

• Mass device wipe commands
• Bulk policy deployments
• Unusual device retirements
• New administrator role assignments
• Sudden configuration changes

These actions are early indicators of destructive abuse.

3. Implement Just-In-Time (JIT) Privileged Access

Standing administrative privileges create a permanent attack opportunity.

Instead, organisations should implement Just-In-Time (JIT) elevation, using tools such as Microsoft Entra ID and Microsoft Entra Privileged Identity Management.

JIT reduces risk by ensuring:

• Administrators do not permanently hold Intune privileges
• Access must be explicitly requested and approved
• Privileges are time-limited (e.g., 15–60 minutes)
• All elevation events are logged and monitored

If attackers compromise an admin account without active elevation, they cannot immediately control Intune.

This dramatically reduces the blast radius of identity compromise.

4. Assume Destructive Actors – Harden Recovery

Organisations must prepare for device fleet destruction scenarios.

Key measures:

• Immutable backups
• Air-gapped backup infrastructure
• Separate authentication domains for backups
• Gold device images
• Automated device rebuild pipelines

The goal is rapid fleet reconstruction, not negotiation.

5. Operationalise Incident Response

Many organisations have incident response plans that are never exercised.

To ensure readiness:

• Conduct regular tabletop exercises
• Include IT, security, legal, communications, and executives
• Pre-contract digital forensics and incident response firms
• Pre-stage crisis communication procedures
• Speed matters in destructive incidents.

6. Practice Business Continuity Without Core IT

Prepare for 24–72 hours of degraded IT availability.

Develop manual procedures for:

• Order processing
• Manufacturing coordination
• Shipping and logistics
• Supplier communications

Organisations should maintain offline procedures and alternate communication channels.

7. Segment Critical Management Planes (Zero Trust)

Apply Zero Trust segmentation across:

• Identity infrastructure
• Endpoint management platforms
• Backup systems
• Operational technology networks
• Administrative environments

This reduces the likelihood that compromise in one area results in total environment control.