Identity is the new currency, and digital adversaries are chasing wealth. According to Verizon's "Data Breach Investigations Report," 61% of data breaches can be traced back to compromised credentials. Why? Breaking into systems with legitimate user credentials often enables attackers to move undetected across a network for intelligence gathering, data theft, extortion, and more.
Access control is foundational to defending systems, but like any tool, it has its limits. Motivated attackers try to find ways around the edges of access control systems to gain access to accounts. Many companies have invested in anti-fraud technologies to detect and mitigate these types of attacks against high-value targets, such as login and payment flows.
However, fraudsters' tactics can work equally as well in areas beyond login and payment flows. Therefore, we see persistent attackers who now target "identity construction" systems like provisioning, device enrollment, password reset, and other account management systems.
Because these identity provider systems establish the basis for all access control, they are now attracting dedicated attention from cybercriminals. For example, LockBit, Avaddon, DarkSide, Conti, and BlackByte ransomware groups are all utilizing initial access brokers (IABs) to purchase access to vulnerable organizations on Dark Web forums. IABs have grown in popularity within the last couple of years and are significantly lowering the barriers to entering the world of cybercrime.
An Uptick in Identity-Related Attacks
Recent attacks and extortion attempts on major third-party software like Okta and Microsoft are clear examples of the damage that can be done when compromised credentials are used to carry out account takeover (ATO) attacks. The Lapsus$ ransomware group conducted all of their ATO activity using stolen credentials that were obtained using unconventional and sophisticated means. Recent news suggests that the group continues buying compromised account credentials until it finds one with source code access.
While all online accounts are vulnerable to ATO fraud, bad actors tend to target accounts they consider highly valuable, like bank accounts and retail accounts with stored payment information. Bad actors typically will use automated tools such as botnets and machine learning (ML) to engage in massive and ongoing attacks against consumer-facing websites. With automated tools, they commit ATO fraud using techniques such as credential stuffing and brute-force attacks, as shown by Lapsus$.
However, fraudsters don’t always use automated tools for ATO fraud. They can gain access through phishing, call-center scams, man-in-the-middle (MITM) attacks, and Dark Web marketplaces. Some have even been known to employ human labor ("click farms") to manually enter login credentials so that the attacks go undetected by tools that look for automated login attempts. Nevertheless, ATO is now the weapon of choice for many fraudsters, perhaps accelerated by the pandemic, with attempted ATO fraud rising 282% between 2019 and 2020.
Identity-based fraud can be extremely difficult to detect considering the advanced tactics and randomness of different crime groups. Most of the breaches we hear about in the news are a result of businesses relying on automated access control tools rather than tracking user accounts to detect unusual behavior quickly.
Access Control Layers Are Not Enough
Historically, access control implements authentication and authorization services to verify identity. Authentication focuses on who a user is. Authorization focuses on what they should be allowed to do.
These types of access control layers are a good first defense against identity-based fraud, but as made evident in recent attacks like Okta and Microsoft, fraudsters can bypass these tools fairly easily. There must be a second line of defense in the form of a detection system that learns and adapts. Therefore, companies should consider going beyond who a user is and what they are allowed to do, and ensure your identity system monitors and learns from what the user is actually doing.
The Need for a More Dynamic System
Many of the techniques that cybercriminals use lie at the intersection of security and usability. Simply looking at either security or usability misses the point. If we look only at how the security protocol should work, we miss the point of how users will realistically use it. And if we only think about how to make it easy to use, we miss how to keep the bad people out. The protection layer from access control establishes the "allowed/not allowed" decision, but it should be backstopped by another layer of detection that observes and learns based on how the system is used and attempts at misuse. This second layer's job includes identifying the tactics used to takeover accounts through brute force, redirection, tampering, and other means.
As mentioned above, authentication is a static set of something you know, something you are, and something you have. But in a war against attackers that are dynamic, a static "shield" doesn’t do much for the sake of defense. To address this gap, a robust learning system is required to identify and block dynamically changing attacker tactics.
Companies are investing in identity graph technologies for many authentication and high-value flows. Identity graphs are a real-time prevention technique that collects data on more than a billion identities, including personas and behavior patterns, so that security teams can quickly identify unusual behavior from user accounts. [Note: The author's company is one of a number using identity graph technology.] With this type of real-time, data-driven approach, teams can identify behavior and activities generated from automated tools like bots and ML algorithms and can detect unusual behavior before it causes any damage, such as theft or fraudulent purchases.
To succeed against dynamic cybercriminals, organizations must go multiple steps further and build a learning system that evolves over time to keep up with attacker tactics. Identity graph technologies can help organizations recognize attacker tactics across the whole identity life cycle, including provisioning and account maintenance. These techniques can ebb and flow with the sophisticated threat landscape we're witnessing today.