Increasing Identity Security Without Increasing User Disruptions

A Case for Adaptive Authentication

Executive Overview

Attacks and breaches are in the news every day. We collectively spent ~$90B on security worldwide, but only about $7B on identity security. The rest was spent on Network and Endpoint security, yet breaches continue at an alarming rate. In fact, the Identity Theft Resource Center revealed that the number of breaches rose ~40% in 2018. The real question is, how can your organization keep from becoming tomorrow’s news headline?

This white paper can help. We’ll explore the anatomy of an attack — how attackers gain a foothold and move laterally inside your organization to achieve their goal of stealing valuable information. Then we’ll see why government and military organizations, accept that preventive measures inevitably fail, and choose to focus instead on limiting attackers’ ability to do damage and responding quickly to incidents when they occur.

Read this paper to understand

How attackers compromise organizations
How you can more quickly detect attackers
How you can increase security without disrupting users (Go beyond 2FA).

INTRODUCTION

How Attackers Compromise Organizations

With No Password, There Are No Password Resets If we take a typical 5000 user organization and assume one helpdesk call per user per month, so 12 calls a year. That means 60,000 helpdesk calls a year. Let’s assume 30% of those are for password resets, which means we have 18,000 password reset calls a year. Let’s also assume each call costs the organization $35 (We’ve seen anywhere from $20 to $70), We get an annual cost for password resets at $630,000

SEE FIGURE & READ MORE

Once the malware is deployed and the attackers have established an initial foothold, they often try to obtain legitimate credentials (often with a privileged level of access) or create new credentials, so that they can move laterally and perform reconnaissance within the organization. Even going as far to enroll in an organization’s 2FA program.

Figure 1: Once attackers penetrate an organization and establish a foothold, they often remain present for months until they find the data they’re looking for.

Attackers often remain present in the target organization for long periods of time — a median of 101 days, according to Mandiant’s 2018 threat report. During this time, they move laterally to conduct reconnaissance and gain high levels of access. At this point, it’s likely that the attacker is no longer using malware; rather, a human actor is using the legitimate credentials that have been obtained or created and blending in with the legitimate activity in the environment.

Once the attackers have found what they’re looking for, they will complete their mission by staging the data they’re after — anything from intellectual property to financial data — and complete the process of stealing what they’ve found (sometimes called “exfiltration” or simply “exfil”). If attackers can gain legitimate credentials and register in a 2FA program, how can we ever identify and stop this unauthorized access?

“the average organization takes 101 days to identify a breach.”

Uncovering Attacks & Responding Appropriately

Most Organizations Take Too Long to Learn of Breaches

An organization that has sufficient resources, mature security practices, and appropriate security products might be able to detect forensic artifacts that indicate an attacker is inside their environment. These artifacts could include evidence that malware has been used, evidence of lateral movement, or the discovery of staged data that is either ready to be moved externally or already in the process of being stolen.

But the average organization takes 101 days to identify a breach, and while that is a big improvement over some previous years, three plus months is plenty of time for an attacker to steal data, funds, or whatever is their mission.

Incident Response and Remediation are Complex Tasks

When an organization learns, one way or another, that it has been breached, the next step is to conduct incident response: Starting with forensic analysis of the endpoints and servers initially known to be compromised, the incident responders attempt to determine the reach of the attack. They need to investigate to the point where they can no longer find further evidence of lateral movement.

Legal steps depend on the type of organization that was penetrated, the nature of the attack, and the profile of the attacker. For instance, there are rarely legal repercussions in the case of attacks conducted by nation states or cyber-criminal gangs operating offshore. While some international efforts have been successful at achieving penalties, we do not really see, for example, a company in the defense industrial base issuing charges against a nation state for launching an attack and stealing their intellectual property.

Once that investigatory boundary has been established, the next step is remediation. Remediation typically involves:

Shutting down all external internet access to the organization (yes, all of it)
How you can more quickly detect attackers
Re-imaging compromised endpoints and servers
Resetting all passwords
Removing all user accounts and access compromised or created by the attackers

“Being prepared to perform thorough incident response and remediation when breached is the only surefire way of being secure.”

Preventive Measures are Necessary but Not Sufficient

Many technologies and approaches have been developed to help secure the perimeter of the organization. Among other things, organizations try to detect the presence of malware on the network (by spotting its command-and-control communication), and the presence and execution of malware on endpoints and servers. But attackers are both clever and highly motivated by the potential rewards, so it’s inevitable that they will overcome any preventative method, sooner or later.

In fact, many U.S. military and government organizations have already adopted the position that preventative security will always fail, and the only way to truly be secure is to constantly look for evidence of a breach and then respond appropriately with incident response and remediation. For example, Reuters reports that the former director of the U.S. National Security Agency (NSA) Information Assurance Directorate, Debora Plunkett, told a cyber security forum, “We have to build our systems on the assumption that adversaries will get in.” The UK and other European intelligence agencies have a similar mindset.

This advanced perspective has not yet been broadly accepted, but it should be. Being prepared to perform thorough incident response and remediation when breached is the only surefire way of being secure. But exactly how can your organization tighten the net around attackers?

The Benefits and Limitations of Multi-Factor Authentication

Where Multi-Factor Authentication Can Help
As noted above, one common recommendation during an incident response is to implement multi-factor authentication to protect critical data and infrastructure. Attackers often use legitimate credentials to log back in via VPN to an organization that they’ve compromised (again, blending in with the legitimate, day-to-day network activity). By requiring “something you have” (such as a security token or a biometric identifier like a fingerprint) as well as “something you know” (a password), multi-factor authentication limits the usefulness of any credentials that attackers may have acquired or created, thereby restricting their ability to move laterally within the organization (see Figure 2).

Figure 2: Multi-factor authentication can help during the later stages of an attack by limiting the usefulness of any acquired credentials.

Limitations of Multi-Factor Authentication

However, multi-factor authentication isn’t cheap. It can be costly to implement, and it can also be costly in terms of the user experience, adding a layer of complexity that disrupts legitimate user activity, increases frustration, and hurts productivity. Moreover, multi-factor authentication isn’t infallible, and the following shows that attackers are increasingly evolving to circumvent more and more 2FA methods

Example of Added Labor Costs from Daily Authentication Disruptions

You may think those multiple daily disruptions to users don’t cost anything other than frustration but consider this: If you could save users 2 minutes a day by implementing single sign-on and adopting adaptive authentication, which only requires an MFA disruption if risk is present, for a 5000 person organization with an average salary of $50K/year – the organization saves over a million dollars a year in lost user productivity/labor. That is significant every year savings. Customize the calculations to better represent your organization.

Calculate Savings

One-Time Passcodes

The most common way to add 2FA is to require users to provide a one-time passcode (OTPs) during the login process. OTPs can be displayed on hardware tokens; sent via SMS, a telephone call, or email; or generated in a mobile application like Google Authenticator, Duo Mobile, or SecureAuth Authenticate. But attackers can — and do — intercept OTPs using a variety of techniques:

Real-time Phishing Attacks

It’s relatively easy for an attacker to trick someone into giving up their username, password, and one-time-passcode. IBM Security Intelligence⁴ first reported on the use of real-time phishing in 2010; even back then, the technique was already being used in 30 percent of attacks against websites using 2FA. (FireEye recently released a tool called ReelPhish⁵ to help organizations assess their vulnerability to realtime phishing attacks.)

Malware

Using mobile-based malware to obtain OTPs is not new, either. In the 2014 Emmental⁶ attacks on Swiss and German banks, attackers leveraged malicious code to scrape SMS OTPs from customers’ Android devices and gain access to their bank accounts. More recently, attackers used the Bankosy Trojan⁷ and call forwarding to obtain voice-based OTPs.

SMS and Voice Call Interception

Attackers also use an inherent weakness in Signal System 7 (SS7), the protocol that allows carrier networks to communicate, to intercept OTPs in SMS messages and voice calls. For example, attackers in Europe⁷ used this method to obtain access to victims’ bank accounts. The SS7 weakness was one of the driving forces behind NIST’s original proposal⁸ to phase out SMS-based OTPs.

Phone number porting fraud

Attackers use social engineering to obtain a victim’s personal details; then they use that information to convince a cellular company to either issue them a new SIM card or move the victim’s phone number to a SIM card they control. T-Mobile recently warned customers to be vigilant about the increased use of this attack vector.

See how attacker uses social engineering to overtake a phone account in less than 2 minutes

Push-to-accept

This 2FA mechanism relies on the user hitting ‘accept’ or ‘deny’ during the login process. Attackers bombard users with push-to-accept requests until they finally hit ‘accept’ to make the requests stop — and the attacker gets into the network.

David Kennedy (white hat pen-tester) claims at Def Con 22 that he got legitimate users to hit “Accept” 6 out of 6 times while not actually authenticating – 100% success rate

While 2FA still has merit, complimenting it with adaptive authentication strengthens identity protection with no disruption

Knowledge-based Q&A

We’ve all been asked “security questions” and it’s something like…. Street you grew up on? Name of first pet? 1st grade teacher’s last name? The problem is that users put too much information out on social media, where answers to those questions could be easy for an attacker to uncover.

While 2FA still has merit, complimenting it with adaptive authentication strengthens identity protection and can provide the confidence to not even require a 2FA disruption.

Adaptive Authentication

Understanding Adaptive Authentication

Fortunately, there is a way to thwart attackers who are trying to circumvent 2FA: adaptive (risk-based) authentication. Adaptive authentication enables an organization to create rules that determine whether and how a given authentication process should proceed based on risk analysis. Adaptive authentication techniques can analyze information such as:

Device

Look at characteristics of an endpoint device, whether it’s a Windows or Mac based machine or a mobile device. May also include looking at risk/authentication at servers.

Location

Compare a user’s physical location against known good or bad locations. (e.g. if we have no employees, customers, contractors, or partners in a particular geography, why would someone be trying to access from that location?)

IP Address

This could be white/black lists of known good/bad IP addresses and/or looking for an anonymous proxy like Tor (why would a legitimate user be trying to hide their IP?). This could also include checking IPs against sources of known malicious IP addresses where no authentication request should ever originate from.

Behaviors

Seeking irregularities in behavior give clues to attackers impersonating legitimate users. (e.g. successfully logging-in from New York and an hour later attempt to log-in from California is impossible; User A never logs-in remotely past 7pm, yet in the past week, they have logged-in three times all later than 7pm).

Leverage Other Organization Risk

You may have 3rd party systems that also analyze risk.Think Identity Governance and Administration (IGA), User and Entity Behavior Analytics (UEBA), and Security Information and Event Management (SIEM) that could provide risk information to be considered in an authentication process.

While each of these techniques on its own could be circumvented, combining several or all of them offers a powerful solution. Security is about layers, and adaptive authentication does exactly that — it uses layers. Like layers to a bulletproof vest, the more layers, the greater chance of stopping a bullet or in our case an attacker. Using multiple pre-authorization risk factors, a risk profile can be built and used to determine whether and how a particular user should authenticate.

Those Steps Could be:

Deny access
Allow without an MFA
Require an MFA step
Force a password reset
Redirect to a honeypot or other safe zone

Automated actions to certain identity-based conditions save time, enlightens users, and reduces human interactions, which always introduce errors and risk.

Figure 3: Like multi-factor authentication, adaptive authentication can thwart an attacker’s ability to move laterally and escalate privileges inside the organization.

Replacing or Complementing Multi-Factor Authentication

Adaptive authentication can be implemented either as an alternative to multi-factor authentication, or as a complement to it:

Some forms of adaptive authentication, such as device recognition, can constitute multi-factor authentication, although this is a debatable point.
Adaptive authentication can be used in conjunction with multi-factor authentication, reducing the burden on users by requiring multi-factor only when a login is deemed to involve a certain level of risk. For example, in such a “step-up” approach, if location data together with IP address and device raises sufficient suspicion about a particular authentication request, rather than simply denying the request outright, the system can require multi-factor authentication.

The SecureAuth IdentityPlatform

Better identity security. Better user experience. No compromise.

Webinar - Why 2FA Isn’t Enough

Damon Tepe & Jeff Hickman

Techniques for Adaptive Authentication

Organizations can tailor adaptive authentication to achieve the level of security they deem appropriate by combining some or all of the risk-based authentication techniques mentioned earlier. Let’s explore each one in further detail:*

Block Recently Ported Numbers

Numbers that have been transferred will be blocked from use. Users can re-enable their number after they complete authentication using a different challenge method.

Block By Phone Class

You can choose what type of phone number may be used. For example, physical phones may be allowed while virtual numbers are blocked.

Block By Carrier

You can choose which of the -180 worldwide carriers can receive phone/SMS challenges. For example, if all of your customers are based in North America, you can limit to carriers in that region.

Multi-Factor Abuse Throttling

Prevent attackers from brute force guessing of OTPs for access by limiting the number of MFA requests that can be sent across all channels.

Device Recognition

Device recognition is typically a multi-stage process: On first-time authentication, the solution registers an endpoint, and on subsequent authentications, it validates the endpoint against the stored device profile.

This profile comprises a set of 34 different characteristics about the device, such as:

Operating System
CPU Information
Web browser configuration
Language
Installed fonts
Browser plug-ins
Device IP address
Screen resolution
Browser cookie settings
Time zone

Phone Number Fraud Prevention

Includes four prevention features:

Preventing Spam Attempts

Attackers will spam authentication software attempting to guess a real one-time passcode (OTP). With SecureAuth, administrators can regulate the number of OTPs allowed and block or lock a violating account for a specific time period.

Verify as Legitimate

Attackers can port legitimate phone numbers to new devices and attempt to use in an authentication process, impersonating a real user. SecureAuth can prevent authentication from newly ported phone numbers until verified as legitimate.

Block Carriers/Numbers

All phone numbers are associated with a specific network carrier and we can detect which carrier via the phone number. For example, if you have no employees, partners, or customers in China, you can block carriers/phone numbers in that country from attempting access.

Block Virtual or VoIP Phone

All phone numbers are associated with a class of phone (e.g. VoIP, mobile, landline, etc) and we can detect what class of phone a specific number is. For example, attackers often impersonate phone numbers via use of a virtual or VoIP phone and you can block those numbers from authentication attempts.

Endpoint MFA and Adaptive Authentication

Some vendors offer enhanced protection for devices, enabling organizations to increase security on the device by requiring a multi-factor authentication step and/or adaptive authentication. These security techniques are invaluable for shared resources (devices that are accessed and used by multiple users).

Leverage Other Organizational Risk Information