Identity Threats and Security: What-why-how?
Explore the niche category of emerging issues related to managing users: related threats, how major breaches happened, and what could be done to thwart these.
Identity Threats explained
Let's clarify what identity security is. Every user and machine in any organization has an identity that determines who they are and what resources they have access to. It is crucial to manage and protect these identities.
Identity and Access Management (IAM) — the term given to handling these identities and their corresponding authorization and access permissions. A secure IAM infrastructure of an organization is important for identity security as it leads to fewer chances of compromise and in case a compromise of identity does take place, the damage is limited which is very crucial to keep in mind while building a robust IAM program because it not possible to stop all breaches, that’s just not how security works!
That’s where the principle of least privilege comes into play: providing only the required amount of permissions and access to an account/identity.
Say Dave and Suzan work in the finance department of two different companies and only require access to cost data.
While Dave’s account is restricted to financial and cost data so that he can perform his work, Suzie has lax permissions that allow her to read codebases, make modifications, and all sorts of authorizations that are not required.
If Dave’s account is compromised, the extent of damage will be restricted to a leak of financial data but if Suzie’s account is compromised, there is no limit on how much havoc can attackers cause. Here, Dave’s organization follows the principle of least privilege while Suzie’s organization has poor IAM.
Now, hopefully, we have a better understanding of what identity and identity security is and we can start exploring identity threats. Any act of malicious activity done with the suspicious intent of compromising an identity and resources associated with it can be termed an identity threat to identity security and the IAM infrastructure:
- Account takeover
- bypassing MFA
- elevating privileges
- digital fraud
- or anything, where the user isn’t who they claim to be
And these are not theoretical things that are discussed within academic circles, as 2022 saw a large increase in breaches that compromised the identity security within large organizations, as we discuss one such case to understand how identity threats and identity security play out in the real world.
Uber 2022 breach
Like any other year, 2022 saw its fair share of cyber-attacks and data breaches. The rise of awareness towards 2FA/MFA to protect against credential stuffing didn’t stop attackers from causing issues. Let’s take a look at how the Uber breach from 2022 took place:
- Initial Access: Cyber-attackers gained “complete” access to Uber systems ranging from confidential employee data, and internal documents to a complete code base. Initial access attempts were tried with stolen passwords from a dark web marketplace, but these attempts were stopped due to MFA that was in place.
- Bypassing MFA: To bypass this, a technique called “MFA Flood” or “MFA Exhaustion” was used, where the attacker send multiple MFA approval requests in quick succession. This combined with social engineering, the employee approved the MFA request to stop the annoying flood of notifications.
- Complete Compromise: Once VPN access was gained, attackers found hardcoded credentials inside scripts in one of the network shares, which led to the compromise of all the third-party tools used by Uber. This included cloud vendors, employee management tools, etc.
So what went wrong? In fact, many things! There was a lack of monitoring and alerting about identity security. As soon as multiple MFA requests started to generate for the victim employee, alerts should have been fired.
- Why an account that usually requires one or two requests to authenticate suddenly has fifty?
- Is it happening at an unusual time?
- Why an account that logs in the morning is requesting access at midnight out of the blue?
Not to forget, the case of hardcoded credentials. It’s 2023 already and we are still struggling with hardcoded passwords in scripts! Every machine could have its own identity or could be a part of a group that has associated permissions as per requirements. The breach revealed the lack of focus on identity security and the degree of importance that was given to IAM. So what could have been done better?
Before moving ahead, let’s discuss briefly another breach. Ironically, IAM and identity solutions provider Okta was also breached last year. Though not a direct breach, one of their support engineer’s third-party accounts was compromised. And guess what was the initial access method? Yep you guessed it right, MFA was breached and a new authentication was added to that employee’s account. Using a compromised RDP session that was active on the employee’s system, they logged into Okta’s remote machine. MFA bypasses, insecure login sessions? Is there a pattern that leads to such high-profile breaches? This remains a burning question.
How could these breaches be prevented?
Identity security and how to strengthen it?
There’s no single-shot solution to solve gaps present in most organizations’ identity security infrastructure. There rarely is when it comes to the security industry. Below are some of the ways that can help in protecting against threats and attacks targeting identity services.
The security of a company is as strong as its weakest link, which in most cases is the humans. Most of the attacks began with social engineering attempts, be it phishing, malicious spam, etc which prey upon the human tendency to trust things. There is a need to increase awareness regarding operational security, being wary of suspicious emails, common signs of social engineering, etc.
Proper IAM governance
Well-planned IAM infrastructure could be decided factor whether you get breached through an identity threat or not. As we mentioned earlier, following the principle of least privilege is the recommended choice when deciding permissions. Creating identity roles based on requirements, and attaching these roles to users and groups leads to a more manageable form of IAM.
Improve security standards
Balanced compliance guidelines and security practices, which are relatively easy to follow from a user’s perspective while providing ample security, can help in overall security. No hardcoded credentials, strong password policies, password rotation cycles, mandatory MFA usage, etc can not only protect against identity threats but also give better protection from a large variety of cyberattacks.
Use ITDR solutions
Identity Threat Detection and Response or ITDR is an emerging field of security solution that focuses on logging, monitoring, and alerting identity-related data. ITDR software integrates with SSO and identity service providers and tracks the usage pattern to find suspicious patterns. Based on their findings, suggestions, mitigations, and alerts are generated that help in rapid response to issues that are present.
This list is by no means exhaustive, as security measures might change as per the existing posture and requirements of an organization but the above-mentioned points might significantly improve the quality of defenses against cyber criminals.
With the rise of major cyber attacks in 2022, the number will only rise in the coming years. There is an urgent need for organizations to gear up their security programs and to make sure ample attention is given to how identities are managed and accessed throughout the organization. This article was written in an attempt to make minds curious about identity security and the dilemmas related to it.