\u00a0Introduction <\/p>\n

The Zscaler ThreatLabz team is seeing an increase in attacks that abuse IP-based authentication and target global organizations. Attackers are actively exploiting the limitations and weaknesses of IP-based authentication methods, posing a significant challenge for organizations. Successful attacks can lead to unauthorized system access, data breaches, and the potential compromise of critical assets.<\/p>\n

In this advisory, we share information about risk exposure and best practices for organizations to defend against these attacks.
\nKey Takeaways<\/p>\n

\tZscaler ThreatLabz has observed an increase in source IP-based authentication abuse leveraging system compromise, identity compromise, and shadow IT environments, to name a few examples.
\n\tEmploying a Zero Trust architecture, along with other security best practices, in managing your identities and multi-factor authentication (MFA) configuration is paramount to establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches.
\n\tFurther mitigate IP-based authentication vulnerabilities by implementing an identity provider (IdP) with FIDO2-based MFA and reinforcing user account reset processes.<\/p>\n

Background<\/p>\n

Organizations employ various methods to restrict access to sensitive data and systems. Source IP-based authentication is a commonly used method that provides a straightforward and quick way to control access. However, if IP-based authentication is one of the primary authentication mechanisms, it also introduces additional risk factors. IP-based authentication can:<\/p>\n

\tBe difficult to scale as the organization grows in size and complexity.
\n\tPrevent the implementation of granular access controls.
\n\tReduce the sophistication and level of effort that threat actors must leverage to access organizational assets.
\n\tIntroduce challenges in auditing access and activity.<\/p>\n

Examples Of IP-Based Authentication Abuse<\/p>\n

Threat actors use many methods to bypass source IP-based authentication. The following examples describe recently observed common attack vectors:<\/p>\n

\tSystem compromise: Compromising local system credentials or installing malware gives an attacker access to a system that can be allowlisted to multiple sensitive systems.
\n\tWi-Fi networks: By relying on source IP-based authentication, organizations are at a higher risk of unauthorized access due to vulnerabilities or misconfigurations in wireless networks.
\n\tIdentity compromise: Identity compromise can occur when threat actors use social engineering to manipulate help desk personnel, posing as legitimate users. Through this deception, they aim to gain initial access. Once inside, a threat actor can exploit the limitations of IP-based authentication, allowing them to move laterally within the system.
\n\tPhysical access: When a threat actor gains physical access to an office or data center, they are free to access sensitive systems because they now have an authorized IP address.
\n\tMisconfiguration: Source IP-based authentication relies on accurate network definitions, and it is easy to introduce risk by exposing sensitive systems to uncontrolled IP spaces.
\n\tShadow IT: Unmanaged shadow IT environments are common and introduce additional risk because IP-based authentication might not discern between managed and unmanaged environments.<\/p>\n

Best Practices To Safeguard Against These Attacks<\/p>\n

Although source IP filtering can serve as an additional layer of security, it should NOT be relied upon for authentication. By implementing the following measures and best practices, organizations can safeguard their sensitive systems and data, as well as identify and bolster the efficacy of their environments.<\/p>\n

1. Move all crown-jewel applications behind Zero Trust solutions<\/p>\n

Move all crown-jewel applications behind Zero Trust solutions such as Zscaler Private Access\u2122 (ZPA\u2122), and prioritize user-app segmentation for sensitive applications to proactively defend against these attacks. Zero Trust solutions can help you:<\/p>\n

\tDeploy role-based access controls, providing granular access based on the user\u2019s role to prevent access to unnecessary systems and limit risk.
\n\tEnforce posture control to ensure that only approved systems with a full endpoint security stack can communicate with sensitive applications.
\n\tEstablish strong Data Loss Prevention (DLP) policies to control access and prevent exfiltration of sensitive information.<\/p>\n

The key principles of a Zero Trust architecture ensure that you never trust and always verify. Organizations that implement a Zero Trust solution like Zscaler are able to: <\/p>\n

\tMinimize the attack surface by making internal apps invisible to the internet.
\n\tPrevent compromise by using cloud-native proxy architecture to inspect all traffic inline and at scale, enforcing consistent security policies.
\n\tStop lateral movement by connecting authorized users to applications rather than connecting networks to applications, which reduces the attack surface through strong posture check and workload segmentation.
\n\tStop data loss by inspecting all internet-bound traffic, including encrypted channels, to prevent data theft.
\n\tIdentify threats by leveraging deception technologies to stop attacks before an attacker\u2019s objectives are accomplished.<\/p>\n

2. Use an IdP with FIDO2-based MFA<\/p>\n

Using an IdP with FIDO2-based MFA for authentication offers numerous advantages over relying solely on local accounts. IdPs provide centralized control and management of your administrator identities, which streamlines the authentication process and ensures consistency across applications and services. It also:<\/p>\n

\tSimplifies user access management, which saves time and reduces mistakes.
\n\tEnables the implementation of single sign-on (SSO), allowing users to authenticate once and access applications securely, thus enhancing the user experience and eliminating the risk of weak or reused passwords.
\n\tOffers additional security features such as MFA and adaptive authentication, which provide additional defenses against unauthorized access. <\/p>\n

3. Strengthen processes around user account resets<\/p>\n

Strengthen processes around user account resets by training help desk personnel to perform strong user identity validation. You can:<\/p>\n

\tLeverage corporate directory contact information to perform callbacks that ensure user identities before resetting access.
\n\tRequire managers to personally validate identities when standard validation techniques are not possible.<\/p>\n

Conclusion<\/p>\n

The Zscaler ThreatLabz and Product Security teams continuously monitor threat trends and share their findings with customers and the wider community. If you have any questions, please reach out using the official support channel.\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

Introduction The Zscaler ThreatLabz team is seeing an increase in […]<\/p>\n","protected":false},"author":0,"featured_media":2189,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2188","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n