Responding and Defending Against IdP Vendor Compromise Deepen Desai

Post Content  

​

Zero Trust Network Access (ZTNA) replaces network-level based access and reduces excessive implicit trust for access to resources, primarily from remote locations, by employees, contractors, and other third parties.

In this breach, the user unknowingly uploaded a file which had sensitive information to Okta’s support management system. The adversary leveraged the session cookies from the uploaded information to further advance the breach. The DLP-like technology can be effective in preventing users uploading files with the sensitive data unknowingly.

Using posture control, organizations can limit access to applications on managed devices only. If the adversaries try to access the critical applications or servers from unmanaged devices, access will be prohibited. It is imperative to make unmanaged device access a mandatory part of the ZTNA architecture.

The attack blast radius can be reduced by enforcing stringent segmentation policies. An administrator should define the policies for combining user attributes and services to enforce who has access to what.  It is important to determine if a universal access policy is needed for when users are on and off premises.

In this recent Okta breach, there are no reports that suggest major incidents so far. But in most cyberattacks, the threat actors are after the crown jewel systems and the data. Once the attackers have established a network foothold, they move laterally in the network, identifying the systems that are critical for the organizations to launch further attacks, including data theft. Defense-in-Depth (DiD) plays a very critical role in breaking the attack chain. The layered security approach enforces very strong defense against sophisticated attacks such that if one layer  fails to detect an advancement of a threat actor in the attack chain, then the next layer can still detect the attacker’s next move and break the chain to neutralize the attack.

Leveraging Deception and ITDR Using the Zero Trust Platform for Defense

While zero trust reduces your attack surface by making resources invisible to the internet and minimizes the blast radius by connecting users directly to applications, deception and ITDR are two additional tools in your arsenal that can help prevent, detect, and contain identity-driven attacks.

Deception

Adversaries rely on human error, policy gaps, and poor security hygiene to circumvent defenses and stay hidden as they escalate privileges and move laterally. No security team can be 100% certain that their defenses are foolproof all the time–this is what adversaries take advantage of. 

Deception changes the dynamics by injecting uncertainty into your environment. After hijacking a session token or using credentials, the attacker will scan the environment to find accounts and keys, and attempt to access critical applications and sensitive data.

A simple deception strategy can help detect adversary presence before an attacker can establish persistence or exfiltrate data.

Kill ChainAttack TechniqueDeception DefenseInitial AccessUses stolen/purchased credentials to
access internet-facing applications like
IdPs, VPNs, RDP, and VDI.Creates decoys of internet-facing
applications like IdPs, VPNs, and Citrix servers
that attackers are very likely to target.ReconnaissanceUses AD explorer to enumerate users, computers, and groups.Creates decoy users, user groups, and computers in your Active Directory.Privilege EscalationExploit vulnerabilities in collaboration platforms like Confluence, JIRA, and
GitLab to get credentials of a
privileged account.Creates decoys of internal apps like Confluence, JIRA, and Gitlab that intercept the use of credentials to access
this system.Privilege EscalationUses Mimikatz to extract credentials from memory in Windows. These credentials are then used to access higher privileged accounts.Plants decoy credentials in Windows memory.Lateral MovementMoves laterally to core business applications and cloud environments to gain access to the victim organization’s data.Plants decoys of internal apps like code repositories, customer databases, business applications, and objects like S3 buckets and AWS keys in your cloud tenants.ExfiltrationThe adversary uses their access to download sensitive data and extort the victim.

Plants decoy files and other sensitive-seeming information on endpoints that detect any attempt to copy, modify,

delete, or exfiltrate the files.

Using deception will not always stop an identity attack but it will act as a last line of defense to detect a post-breach adversarial presence. This can help prevent a compromise from turning into a breach.

ITDR

ITDR is an emerging security discipline that sits at the intersection of threat detection and identity and access management.

It is becoming a top security priority for CISOs due to the rise of identity attacks and ITDR’s ability to provide visibility into an organization’s identity posture, implement hygiene best practices, and detect identity-specific attacks.

Augment your zero trust implementation with ITDR to prevent and detect identity attacks using following principles:

Identity Posture Management: Continuously assess identity stores like Active Directory, AzureAD, and Okta to get visibility into misconfigurations, excessive permissions, and Indicators or Exposure (IOEs) that could give attackers access to higher privileges and lateral movement paths.
Implement identity hygiene: Use posture management best practices to revoke permissions and configure default policies that minimize attack paths and privileges.
Threat Detection: Monitor endpoints for specific activities like DCSync, DCShadow, Kerberoasting, LDAP enumeration, and similar changes that correlate to malicious behavior.