Breaches happen.
And looking back at the numbers for 2022, they appear to be happening far more often than before. This past year saw a 38% increase in the number of weekly attacks over what we saw in 2021, raising the odds of successful breaches as malicious actors seek to steal, destroy, and generally negatively impact organizations’ data.
Unfortunately, their malicious efforts are paying off as a whopping 108.9 million accounts were reportedly breached in Q3 of 2022.
At the center of these breaches is identity. Attackers are using compromised identities to breach their targets, and then to use the identities’ privileges to move around inside the organization in order to reach their targeted assets.
Research from mid-2022 by the IDSA found that 84% of organizations had experienced an identity-related breach. The same study found that 78% of those organizations claimed to have a direct impact on their business from the breach.
Given these statistics, organizations are well aware of the risk that they face from identity-based attacks. The challenge they face though is in taking the right steps to reduce their risk and then mitigate threats when an attacker does slip through.
However, in order to respond effectively, security teams have to recognize the signs that they are under attack.
Here below are a few of the red flags that should send you off investigating if you have a breach on your hands.
Indicators of a Probable Breach
-
Stale Accounts and Access Privileges Spring Back to Life
Employees leave organizations, change roles, and stop using access privileges granted to them when they no longer need them. All fairly common lifecycle IAM issues.
The problem is that because these accounts are likely unmonitored, they can be used by an attacker who compromises them to move around using whichever privileges remain assigned to the account.
Similarly, when identities hold onto access privileges that they no longer use regularly, they increase their risk level in the event they are compromised. Every access privilege represents additional opportunities for attackers to expand their reach, widening the threat surface.
Unused access privileges and inactive accounts are all risk and no reward.
Having them around you should be concerning since it means that you’re not keeping up with Least Privilege. But even more disturbing is if all of a sudden an account or access privilege comes back to life.
Action Item
Sure there is always the chance that a legitimate employee is using the account, but an investigation — followed by a quick clean up — is definitely in order to understand if something nefarious is afoot.
-
User impersonation, Lateral movement, and Privilege Escalation Detected
Once an attacker succeeds in compromising an account, their next step is to start moving through your organization on their way to reaching valuable assets.
If you have done a decent job with limiting the compromised identity’s privileges, then the attacker is going to have to start looking for ways to expand their access. This often means looking to move laterally and escalate their privileges.
A common example is if an account is compromised and then the attacker uses the identity’s privileges to assume roles in AWS, then move to GitHub, O365, and any other resources that the identity has access to. If the attacker can assume a role that then lets them assume a different privileged role, then the hacker will be able to cause greater damage.
Check out this video to learn more about user impersonation attacks where Lapsus$ hackers can leverage a low level Okta app admin user to create and approve a virtual credit card in a payment app.
Action Item
Identify privilege escalation paths like role chaining, shadow admins, and nested public groups. Limit privileges to reduce the blast radius from an attack.
-
Creation of New Admins or Other Privilege Changes
When the crew from APT 29 breached SolarWinds, defeating their MFA and using a Golden SAML technique to carry out one of the most interesting attacks of the past few years, one of the highlights was that they added privileges in Active Directory to a compromised identity that allowed them to carry out their now famous supply chain assault.
If an attacker is able to compromise your Identity Provider, they can add, revoke, or pretty much do whatever they want to with your identities’ access privileges. Having this capability is like giving them the keys to the kingdom.
Action Item
Any changes to access privileges, especially any increases in privileges, should be investigated. If those privileges are not warranted, then revoke them. Even if they are legitimate, make sure that you are giving the identity additional protections like more monitoring and enforcing an MFA policy.
-
Persistence and Defense Evasion by Manipulating Trust Configurations
Once a hacker makes it into your environment, they are going to work to make it hard for you to kick them out. A powerful way for the attacker to achieve real sticking power is by moving upstream to your identity and access management (IAM) infrastructure.
By successfully compromising your Identity Provider (IdP), the attacker plays on the trust that your downstream apps and services have in your IAM. Because these apps unquestioningly depend on your IAM tools like IdPs and Privileged Access Management (PAM) to manage who has access, they are vulnerable to manipulations.
These trust relationships play an important role in functioning of IAM, reducing friction that would otherwise arise from managing identities’ access to apps.
But what happens when an attacker adds their own IdP or HR system upstream from the IdP that is managing access to the apps? Trouble. That’s what happens.
Action Item
Monitor for changes in your IdP configurations, including attempts to add new input sources into your IdP itself.
-
Suddenly Account Takeover Attempts Stop
If someone keeps banging on your door trying to break in, we should be more worried rather than relieved when the clanging stops.
The sudden cessation of common account takeover attempts using methods like password spraying, brute forcing, and credential stuffing from a particular source likely indicates that the attacker found their way in. Otherwise, why would they stop?
Looking back at our blog from a few weeks ago, Authomize noticed a spike in the number of account takeover attempts in the days after folks returned to the office from the winter holidays. In a couple of cases, we found that the same IP addresses were attacking multiple organizations.
Thankfully, the attacks kept coming, meaning that they were likely unsuccessful.
Action Item
Monitor account takeover attempts and look for changes that may indicate that one of them may have found their way into your organization.
Eliminate Risks and Mitigate Threats with Authomize’s Identity Threat Detection and Response Platform
Our goal should not be to prevent every single breach. Like we said at the top, breaches happen.
Instead we should strive to reduce risk by removing the opportunities like excessive privileges, privilege escalation paths, and stale accounts that can open the door for a hacker to carry out a successful attack.
Think of it like reducing the blast radius from an explosion. We accept some risk but limit it to the compromised identity, hopefully leaving the attacker with a minimal gain from their breach.
The next goal is to detect active threats, picking up on malicious actors attempting to manipulate our identity and access layer quickly so that we can respond effectively.
By continuously monitoring an organization’s identities, access privileges, assets, and access privilege usage, Authomize’s agentless Identity Threat Detection and Response (ITDR) Platform enables security teams to protect against Identity-based attacks across Cloud and IAM environments.
Learn more about how Authomize can uncover the hidden posture risks and active threats in your organization’s environments, request a Free Identity Security Assessment today.
