Trend
Identity
In the era of single-sign-on and cloud-based-everything, there’s no better way for an adversary to sneak into a corporate environment than by compromising identities.
Pairs With This SongThreat Sounds
If you spot nefarious activity coming from one of your employees’ accounts, rule out an identity compromise before pointing fingers. Their denials are likely more credible than Shaggy’s.
Humans remained the primary vulnerability that adversaries took advantage of when they targeted identities in 2023. This dynamic is not only true of the identity threats we detected but of the ones we researched and read about too. In this section, we will highlight trends we’ve observed in the identity threat landscape—both directly among our customers and across the industry more generally—offering actionable guidance that security teams can leverage to better protect their users and identities.
Note: Given the massive diversity of malicious or suspicious activity an adversary can undertake through a compromised identity, we’ve decided to scope the section narrowly on the process of compromising identities—from stealing credentials, to bypassing MFA, to logging in. For more information on what an adversary can do with a compromised identity, refer to the Cloud Accounts, Email Forwarding Rule, and Cloud API Abuse sections of this report.
Why do identities matter?
As organizations migrate to the cloud and rely on a growing array of software-as-a-service (SaaS) applications to manage and access sensitive information, identities are the ties that bind all these systems together. Adversaries have quickly learned that these systems house the information they want and that valid and authorized identities are the most expedient and reliable way into those systems. Identity and access management (IAM) technologies, single sign-on (SSO) solutions, and other similar tools have been a boon to the security and IT professionals tasked with managing and securing corporate identities. However, they also present an opportunity for adversaries to potentially gain access to numerous disparate systems by compromising a single, highly privileged identity.
How do adversaries compromise identities?
Adversaries can wield relatively unsophisticated and well-known techniques to wrest control of user identities and cause disproportionate harm to organizations. The increasing ubiquity of multi-factor authentication (MFA) has thankfully complicated the matter, but creative MFA bypass techniques are a major commonality among identity compromises. Adversaries are getting better at abusing the difficult-to-monitor mobile devices we frequently use for MFA in order to circumvent imperfect implementations.
Of course, an adversary must have working credentials before they’re able to circumvent MFA. Methods of obtaining credentials aren’t new. While Red Canary doesn’t necessarily have comprehensive visibility into all of the ways that adversaries might steal credentials, we know from inference, experience, and public reporting that credential stuffing or spraying, social engineering, and phishing are common techniques. Adversaries can also obtain credentials through leaked data, via previously compromised systems, by purchasing them on criminal forums, and from countless other sources.
Working credentials are often just the beginning for adversaries, who must overcome a gauntlet of additional security controls—most notably MFA—before they are able to compromise an identity.
What we saw and heard in 2023: Credential theft
Credential theft tradecraft is well-worn and discussed elsewhere in this and previous reports. No particular methods of credential theft stood out as new, novel, or emergent in 2023. Adversaries continue to steal credentials through familiar means, like:
- phishing
- malware
- data leaks
- brute-force attacks
- man-in-the-middle (MitM) attacks
- watering-hole attacks
- previously compromised systems
We’re opting not to spend a great deal of time in this section on credential theft in favor of new or emerging ways that adversaries get around MFA and the specific elements of the login process that we often rely on to differentiate legitimate login attempts from suspicious ones. For more information on how adversaries steal credentials, refer to the following sections from this and past Threat Detection Reports:
- T1003: OS Credential Dumping
- T1003.003: LSASS Memory
- Initial access tradecraft
- Stealers
- Mimikatz
- Impacket
What we saw and heard in 2023: MFA abuse
Red Canary doesn’t have reliable visibility into many varieties of MFA bypass attempts, particularly those that rely extensively on social engineering or take place on unmonitored or difficult-to-monitor mobile devices. However, we’ve performed extensive research into MFA abuse so that we can build detective and preventive controls to stop identity compromise attempts, we’ve received anecdotal reports from customers and partners about the MFA abuse they’ve experienced, and we pay close attention to industry reporting on the matter. The following sections highlight a few techniques that took center stage in 2023.
Exploiting help desk and technical support employees
Phishing help desk and technical support employees to trick them into registering new MFA devices was probably the most noteworthy identity attack trend—and maybe even overall security trend—of 2023. While Red Canary isn’t well-positioned to observe this directly, we know from incident work and external reporting that adversaries target help desk employees via phone-call based phishing (“vishing”), pretending to be legitimate employees, and request critical changes to identity controls like identity access management (IAM) and MFA in order to take control of identities and gain access to victim infrastructure through SSO and other means. To accomplish their day-to-day tasks, help desk employees often require sensitive permissions like being able to perform password resets, modify IAM role assignments, and register and deregister MFA devices. The increasing prevalence of these attacks against the help desk behooves IT and security teams to place increased scrutiny on securing and properly permissioning help desk accounts, as adversaries are clearly keen on abusing them to reset the passwords and MFA registrations of high-value accounts.
The way it works is simple: Adversaries call the help desk, posing as an internal employee in order to trick them into unwittingly resetting the victim account’s MFA settings. Next, the adversary will register their own mobile device, thereby gaining unauthorized access to a corporate identity by fundamentally modifying the authentication sequence. Once they gain access, the adversary can perform reconnaissance to profile the environment for potential infrastructure targets or additional victims with elevated permission levels, such as those with administrative accounts. In some cases adversaries pivot into additional SaaS applications to steal data. In other cases they may move directly into cloud providers, spinning up virtual machines to mine cryptocurrency, accessing databases to steal or otherwise access sensitive information, or simply deleting systems to cause destruction or elicit a ransom.
This relatively unsophisticated phishing method has proven highly effective, emphasizing the need for enhanced user education and robust security measures to mitigate the risk posed by simple social engineering attacks. See the Take action section below for guidance on combating help desk and tech support social engineering.
SIM swapping
Mobile carriers are responsible for another glaring weakness in the identity security ecosystem, and one that corporate security teams can do precious little to mitigate. SIM card swapping has long been a major problem for consumers, particularly in the online banking and cryptocurrency space, where mobile devices play a critical role in backing up account access. However, there’s real concern here for enterprises as well, since SIM swapping can enable adversaries to commandeer mobile phone numbers, hurdling MFA protections and taking over accounts. As such, it’s important to include mobile carriers as an integral component of an enterprise’s comprehensive risk profile because a carrier’s failure to accurately verify their users’ identities can have an impact on enterprises with little or no connection to that carrier.
SIM swapping effectively enables adversaries to take advantage of MFA factors like SMS one-time passcode (OTP). They do this by social engineering mobile service providers into switching their victim’s registered phone number to a new SIM card controlled by the adversary, thus allowing them to receive calls and text messages sent to the victim, including MFA codes sent over SMS or phone calls. A successful SIM swap can be complex because it may require extensive upfront reconnaissance of the victim, although the FBI has reported this can be just as readily accomplished via bribery and insider threats.
SIM swapping a highly privileged user can potentially offer adversaries untold access to an enterprise environment, where they can then exfiltrate data, surveil the contents of communications, and more. See the Take action section below for guidance on combating SIM swapping.
Good old-fashioned phishing
Given the phenomena of oversharing on social media, the preponderance of data leaks over the last two decades, and the wide availability of legal data brokers, it’s never been easier to find someone’s contact information openly available on the internet. By extension, it’s trivial to simply contact a target via an email address, social media handle, or a mobile phone number and attempt to phish them directly for their credentials, MFA authentication codes, or both. Depending on the MFA factor the adversary needs to satisfy, they can adjust their communication strategies accordingly.
Less glamorous than help desk social engineering or SIM swapping, socially engineering users directly remains extremely effective. Victims commonly receive either a text message (smishing) or a phone call instructing them to relay an MFA code in response to a prompt initiated by the adversary. The adversary may ask the victim to enter a number-matching code, send the adversary a newly received SMS code, or have the victim simply accept an MFA push notification. If successful, adversaries are then able to move forward with their objectives, acting with the full rights and privileges of the compromised user identity.
Another clever phishing mechanism leverages legitimate business chat applications that are configured to allow non-employees to initiate chat sessions with employees. In this scenario, adversaries can masquerade as help desk or IT staff and attempt to phish the employee out of their credentials and/or MFA code by a variety of means. In this and a wide variety of other phishing schemes, the adversary attempts to entice their victim into entering their credentials and their MFA codes into a malicious phishing site that mimics a legitimate service. In this type of man-in-the-middle (MitM) attack, the adversary hopes that the victim will enter their credentials and respond to the corresponding MFA prompt, but instead of logging into the legitimate service, the adversary will siphon off the access token of that session and use it to log into an identity provider.
What we saw and heard in 2023: Suspicious and malicious logins
As we’ve noted previously, our visibility into credential theft and MFA bypassing is limited, and therefore much of the information above is based on anecdotal or third-party accounts. However, we do have deep visibility into the actual process of a user logging in, which we routinely leverage for detection and response. The overwhelming majority of suspicious login attempts fall into just four categories that will be familiar to nearly anyone who’s ever worked in a security operations center:
- login attempts from unfamiliar locations
- concurrent login attempts from disparate geographic locations
- logins from malicious IP spaces or those associated with suspicious hosting or VPN services
- logins occurring in tandem with high volumes or MFA requests
See the Take action section below for guidance on leveraging identity telemetry and alerts to prevent or detect suspicious login attempts.
Take action
In this section, we’ll offer guidance on how security teams can attempt to mitigate the MFA circumvention, credential abuse, and suspicious login activity described above.
Mitigating help desk schemes
As always, user education is important. Help desk employees need to understand that adversaries are targeting them to take control of identities that they can leverage to gain access to corporate systems. Rank-and-file employees also need to understand that the personal information they share online can and may be used against them in phishing and social engineering attacks, potentially even for the purpose of validating their identity over the phone with a help desk employee or mobile service carrier (more on this in a moment). Since adversary trends change from time to time, user education courses need to be reviewed and updated periodically to reflect the latest in adversary tradecraft. However, education can only go so far.
Corporate security and IT teams should consider implementing stringent policies to ensure that help desk employees are able to effectively verify that people are who they say they are. Further, organizations should take a risk-based approach to employee verification, organizing employees into sensitivity tiers and requiring increasingly stringent verification methods for employees with higher levels of access or power.
Organizations should consider using the following verification methods, the viability of which will vary widely from organization to organization. Note that not all of these methods are equally secure, but some are better than none. You may also consider a point-based system where an employee must be able to satisfy numerous verification methods to validate their identity.
- Require that help desk interactions take place over video and ensure that help desk employees have access to a visual directory of the company.
- Ask the employee to provide personally identifiable information (PII), including information that may be hard to obtain openly on the internet, like employee identification numbers or even social security numbers.
- Require that employees and the help desk have access to a shared secret (like a security question).
- Require employees to provide information about IT equipment they possess that’s trivial for them to obtain but difficult for an adversary, such as a laptop serial number.
- Ask behavior-based questions about applications the user uses, such as when was the last time they logged in, where do they typically log in from, etc.
- Consider attempting to verify the user via a third party, like contacting their supervisor to validate the change request.
- Two-factor authentication (2FA) can help here as well, and you can consider sending a verification code to the registered mobile device of the user attempting to validate their identity.
Mitigating SIM card swaps
SIM card swap mitigation strategies are challenging because there are only a few circumstances where an organization has any control over a mobile service provider, so we’ll start with those.
- Organizations can eschew phones altogether and rely only on hard-token-based MFA.
- Organizations can implement only non-SMS and non-phone-call-based MFA.
- Organizations can issue phones to their employees, particularly high-value employees, and ensure that the devices have enhanced protections turned on and that their mobile carrier enforces stringent verification policies in all customer support interactions.
User education is another pillar of SIM swap prevention. Organizations should educate their employees about:
- the risk of oversharing information on the open internet, including something as seemingly innocuous as their phone number
- device-level protections available to mitigate SIM swapping
- carrier-level protections available to mitigate SIM swapping
Ultimately, the best protection against SIM swapping will come in the form of government policy or technological advancement. While technology advances are impossible to forecast, the Federal Communications Commission (FCC) is in the process of adopting rules that would force mobile carriers to better protect consumers from SIM swap fraud. It remains to be seen whether these rules will be effective in practice, but it’s a step in the right direction nonetheless.
The FCC order focuses on the following:
- more stringent customer authentication requirements
- processes for carriers to respond to failed authentication attempts
- customer notification requirements for SIM change requests
- the option for customers to freeze or lock SIM changes altogether
- mechanisms for tracking the efficacy of anti-SIM swap security controls
- additional safeguards on employee access to subscriber data
Mitigating traditional phishing
Organizations can protect themselves from the simplest of phishing schemes simply by implementing MFA, but it’s a starting point and clearly not a silver bullet. Balancing user-friendly access with secure connectivity is always challenging, and leaning too much towards convenience can pose significant risks. Almost every MFA factor has some sort of weakness and a bypass technique associated with it. Simply being mindful of these vulnerabilities is important when determining which MFA implementation to choose. While responding to an incident, being aware of these types of bypasses may expand your investigation into areas and log sources that may not initially be part of your breach response playbooks.
Mitigating suspicious or malicious login attempts
The good and bad news for suspicious login attempts is that most identity providers or IAM services have built-in alerting for geographic or IP-based anomalies, but these alerts are often prone to generating high volumes of false positives. The reasons for this vary, but often relate to the reality of a distributed, mobile workforce that routinely logs in from different locations and IP spaces.
There’s no simple way to increase the fidelity of these types of alerts, but they tend to be more effective when correlated with custom detection analytics or other enrichment data, such as:
- IP or VPN proxy reputations
- failed login attempts or conditional access blocks occurring around the same time
- creation of new or suspicious email rules
- detections on hosts associated with the identity in question
- device information (e.g., the user is logging in from a previously unregistered device)
We covered MFA Request Generation in depth last year, and you can find detailed detection guidance in that analysis. Simply put, you can detect MFA exhaustion schemes by alerting on successful login attempts that correspond with high volumes of MFA prompt requests.
Testing
Start testing your defenses against identity threats using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
Atomic Red Team has a variety of tests that security teams can run to validate and improve their defense controls for detecting and preventing identity abuse. The following five are a great starting point. Run them and then examine whether or not you managed to detect, prevent, or observe the suspicious activity.
- Password Spraying Azure/O365 accounts
- Password Spray Azure/O365 account with a single password
- AWS account password spraying
- AzureAD Application Hijacking – Service Principal
- AzureAD Application Hijacking – App Registration
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.