Adaptive authentication during an attack

Back to Blog
March 25, 2019
Stephen Cox

SecureAuth on Adaptive Authentication

Part 1: The benefits of adaptive authentication: The KuppingerCole Leadership Compass Report
Part 2: Evaluating adaptive authentication for your organization
Part 3: Adaptive authentication during an attack
Part 4: Best practices for adaptive authentication

 

This is Part 3 in a series of four posts on adaptive authentication and the KuppingerCole Leadership Compass Report. 

Today we’re continuing our series on the KuppingerCole Leadership Compass for Adaptive Authentication 2018 report. So far we’ve talked about the benefits of adaptive authentication and how to best evaluate solutions. Today, however, our focus is how an adaptive authentication engine works during an actual attack.

If you’re an experienced security practitioner, you know that even the best preventive measures can’t stop every attack. Criminals are tenacious and some of them will eventually penetrate your organization. Are perimeter protections still valuable? Absolutely. Stopping an attack already in progress involves proactive monitoring, incident response, forensic analysis and remediation. Only then can you stop attackers before they do serious harm.

DNA of a typical authentication attack

Consider a typical attack where the bad actor is using phishing, for example against Office 365. Using social engineering, the carefully crafted phishing message is designed to trick users into giving up credentials or to download malware onto their computers. These attacks only need to succeed once. Once the attacker has gained a foothold, their first step is to expand their freedom to move around inside your network. A common objective is to obtain additional valid credentials; they may even surreptitiously enroll in your two-factor authentication (2FA) system with accounts or devices they can access.

At this point, the attacker has bought themselves time to locate and steal their target information, whether it’s employee social security numbers, intellectual property, payment card data, or something else. Mandiant’s 2018 threat report says bad actors stay in your systems for an average of 101 days. This points to additional security measures being required to detect intrusions and stop attackers’ progress.

It’s also where adaptive authentication comes into play, by helping you to distinguish between legitimate and fraudulent users.

Stopping an authentication attack in progress

Once an attacker has acquired valid credentials to log in and out of your system, often using a VPN, they may seem to have the keys to the kingdom. However, multi-factor authentication (MFA) can thwart an attack against your IAM system in several ways. Hardware tokens or biometrics such as fingerprint are almost impossible for attackers to provide, restricting their access. Adaptive authentication helps you determine whether or not extra authentication steps are needed and if the user can proceed. As we’ve discussed in the 6 ways cyber attackers defeat 2FA article, these techniques can analyze risk based on:

  • Location. If the user is based in Russia or China, where your company has no employees, why are they using employee credentials to log in?
  • IP address. An adaptive authentication engine can detect an anonymous proxy like a Tor exit node, and compare the user’s IP address against a white list of trusted addresses or a black list of suspicious or malicious addresses.
  • Account type. Different account types will have different levels of access, privileges and duties. You can assign different policies to sensitive accounts, and alert on violations to watch for atypical behavior.
  • Device characteristics. If a user logs in from a new device or server, adaptive authentication can read and compare those device attributes, and potentially step up authentication requirements.
  • Behaviors. Attackers can indicate malicious behavior in a number of ways – attacker uses valid credentials to log in from the other side of the world after the real user logged in just hours earlier, or they suddenly access the network during strange hours.

By creating risk profiles that connect to authentication policies, you can automate actions for specific behaviors and findings. Those actions could include requiring a password reset, the completion of an MFA step, or denying access entirely.

Automation of authentication workflows

In a world where skilled attackers access networks every day, adaptive authentication can be profoundly useful. Automation reduces human error, provides a smoother experience for legitimate users and can stop attackers without waiting for intervention. Through sophisticated analysis and intelligent authentication decisions, adaptive authentication is your best bet to halt even the most cunning malicious actors.

Watch KuppingerCole webinar on identity-related breaches

If you want more details on how adaptive authentication can strengthen your security, consider watching a replay of a webinar with John Tolbert of KuppingerCole titled Mitigate Identity-Related Breaches in the Era of Digital Transformation.

Never Miss a Beat
Subscribe to Our Blog