By Gunnar Peterson, CISO, Forter
Earlier this year, cybercriminals infiltrated Okta’s systems, an authentication company thousands of organizations around the world use to manage access to their networks and applications. The threat actor gang, known as Lapsus$, gained access to the laptop of one of Okta’s third-party support engineers for five days, potentially affecting a small number of the company’s customers.
Okta said the access was limited, but this wasn’t even the biggest issue. While cyberattacks are so frequent these days, this incident was different because the bad actors cleverly targeted the very tools that so many customers use to restrict network access.
Blue team defenders are used to protecting our data, applications, and users with access controls and other security mechanisms, which is why attacks like this are especially challenging when they target identity and access control systems – the very thing defenders rely on to keep intruders out. Identity is now much more than a glue layer for distributing access. It is a frontline perimeter for defenders. In fact, Microsoft’s CVP and CISO Bret Arsenault summarized the issue perfectly: “Hackers don’t break in, they log in.”
Identity and authentication mechanisms, like multifactor authentication, are commonly used as a first line of defense. However, the FBI ) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert warning that this technology on its own is failing against sophisticated, evolving cybercriminal groups and tactics.
According to the alert, the exploitations occur after actors gain access to a victim’s on-premises network and then leverage privileged access to subvert mechanisms that grant access to cloud and on-premises resources. They are also compromising administrator credentials to manage cloud resources. Simply put, our adversaries are dynamic and intelligent, and defenders cannot rely solely on static, list-based access control systems. Our access control protection layers need to be backstopped by monitoring systems that can detect malice and continually improve access control quality.
Access control mediates communications between users and the applications and data. But when attackers turn their focus from the applications and data and instead focus on companies’ identity and access control systems, the job of defending systems gets more fiercely complicated.
To cope with a more targeted malicious environment, access control systems need to adapt to user behavior and types of requests and flows. The protective access control layers must co-evolve with the intelligence gained from the detection layer. And it requires automation to efficiently scale.
Identity and access control systems focus on enforcing authentication and authorization policies. However, detecting malice requires more insight, and technology exists to fill that gap. Identity graphs go beyond the access control matrix to inspect user behavior for tactics like token tampering, forgery, and other tactics, techniques, and procedures (TTPs) that can adversely impact networks with account takeovers and lateral movements. Access to systems should be monitored not only for policy compliance, but also for known malicious behaviors.
Interestingly, a NSA/CISA alert also recommends cloud tenants pay attention to locking down tenant single sign on (SSO) configuration and service principal usage, as well as hardening the systems that run on-premises identity and federation services. Monitoring the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services.
If you have a chance to observe a red team attack on your system, you may notice that your access control system probably functions the same during a legitimate log-in as it does when it’s under attack. It shouldn’t. The access control system should be defended by looking for known attack behaviors and step up its posture to meet these challenges. As attacker tactics dramatically increase in frequency and sophistication, defenders must co-evolve and add ongoing malice detection to our identity and access control stacks.