White Paper

INCREASING IDENTITY SECURITY WITHOUT INCREASING USER DISRUPTIONS

A Case for Adaptive Authentication

Request a Demo

Executive Overview

Attacks and breaches are in the news every day. We collectively spent ~$90B on security worldwide, but only about $7B on identity security. The rest was spent on Network and Endpoint security, yet breaches continue at an alarming rate. In fact, the Identity Theft Resource Center revealed that the number of breaches rose ~40% in 2018. The real question is, how can your organization keep from becoming tomorrow’s news headline?

This white paper can help. We’ll explore the anatomy of an attack — how attackers gain a foothold and move laterally inside your organization to achieve their goal of stealing valuable information. Then we’ll see why government and military organizations, accept that preventive measures inevitably fail, and choose to focus instead on limiting attackers’ ability to do damage and responding quickly to incidents when they occur.

We’ll see how adaptive and multi-factor authentication can help — and why traditional simple two-factor authentication (2FA) implementations are insufficient as attackers are figuring out ways past a growing number of 2FA authentication methods. Finally, we’ll explore a powerful strategy that can supplement multi-factor authentication (MFA) and dramatically strengthen security without causing unnecessary daily disruptions for users: adaptive authentication.

Read this paper to understand

  • How attackers compromise organizations
  • How you can more quickly detect attackers
  • How you can increase security without disrupting users (Go beyond 2FA).

Introduction

How Attackers Compromise Organizations

Figure 1 details the anatomy of a typical attack. First, attackers penetrate the organization, commonly by using a combination of social engineering and malware, such as an email phishing attack. 76% of surveyed organizations were a phishing victim last year. That is, they target the organization using information harvested via social engineering, social media, and open source data, and then lure unsuspecting users into downloading malware onto their computers. 30% of phishing messages get opened by users.

Once the malware is deployed and the attackers have established an initial foothold, they often try to obtain legitimate credentials (often with a privileged level of access) or create new credentials, sothat they can move laterally and perform reconnaissance within the organization. Even going as far to enroll in an organization’s 2FA program.

Figure 1 Figure 1: Once attackers penetrate an organization and establish a foothold, they often remain present for months until they find the data they’re looking for.

Attackers often remain present in the target organization for long periods of time — a median of 101 days, according to Mandiant’s 2018 threat report. During this time, they move laterally to conduct reconnaissance and gain high levels of access. At this point, it’s likely that the attacker is no longer using malware; rather, a human actor is using the legitimate credentials that have been obtained or created and blending in with the legitimate activity in the environment.

Once the attackers have found what they’re looking for, they will complete their mission by staging the data they’re after — anything from intellectual property to financial data — and complete the process of stealing what they’ve found (sometimes called “exfiltration” or simply “exfil”).If attackers can gain legitimate credentials and register in a 2FA program, how can we ever identify and stop this unauthorized access?

“the average organization takes 101 days to identify a breach.”

Uncovering Attacks & Responding Appropriately

Most Organizations Take Too Long to Learn of Breaches

An organization that has sufficient resources, mature security practices, and appropriate security products might be able to detect forensic artifacts that indicate an attacker is inside their environment. These artifacts could include evidence that malware has been used, evidence of lateral movement, or the discovery of staged data that is either ready to be moved externally or already in the process of being stolen.

But the average organization takes 101 days to identify a breach, and while that is a big improvement over some previous years, three plus months is plenty of time for an attacker to steal data, funds, or whatever is their mission.

Incident Response and Remediation are Complex Tasks

When an organization learns, one way or another, that it has been breached, the next step is to conduct incident response: Starting with forensic analysis of the endpoints and servers initially known to be compromised, the incident responders attempt to determine the reach of the attack. They need to investigate to the point where they can no longer find further evidence of lateral movement.

Legal steps depend on the type of organization that was penetrated, the nature of the attack, and the profile of the attacker. For instance, there are rarely legal repercussions in the case of attacks conducted by nation states or cyber-criminal gangs operating offshore. While some international efforts have been successful at achieving penalties, we do not really see, for example, a company in the defense industrial base issuing charges against a nation state for launching an attack and stealing their intellectual property.

The SANS Institute (https://www.sans.org/) does publish best practices for responding to a breach that can provide some guidance in terms of process. However, a proper incident response and full forensics investigation requires extensive expertise.

Once that investigatory boundary has been established, the next step is remediation. Remediation typically involves:

  • Shutting down all external internet access to the organization (yes, all of it)
  • How you can more quickly detect attackers
  • Re-imaging compromised endpoints and servers
  • Resetting all passwords
  • Removing all user accounts and access compromised or created by the attackers

Preventive Measures are Necessary but Not Sufficient

Many technologies and approaches have been developed to help secure the perimeter of the organization. Among other things, organizations try to detect the presence of malware on the network (by spotting its command-and-control communication), and the presence and execution of malware on endpoints and servers. But attackers are both clever and highly motivated by the potential rewards, so it’s inevitable that they will overcome any preventative method, sooner or later.

In fact, many U.S. military and government organizations have already adopted the position that preventative security will always fail, and the only way to truly be secure is to constantly look for evidence of a breach and then respond appropriately with incident response and remediation. For example, Reuters reports that the former director of the U.S. National Security Agency (NSA) Information Assurance Directorate, Debora Plunkett, told a cyber security forum, “We have to build our systems on the assumption that adversaries will get in.” The UK and other European intelligence agencies have a similar mindset.

This advanced perspective has not yet been broadly accepted, but it should be. Being prepared to perform thorough incident response and remediation when breached is the only surefire way of being secure. But exactly how can your organization tighten the net around attackers?

“Being prepared to perform thorough incident response and remediation when breached is the only surefire way of being secure.”

The Benefits and Limitations of Multi-Factor Authentication

Where Multi-Factor Authentication Can Help
As noted above, one common recommendation during an incident response is to implement multi- factor authentication to protect critical data and infrastructure. Attackers often use legitimate credentials to log back in via VPN to an organization that they’ve compromised (again, blending in with the legitimate, day-to-day network activity). By requiring “something you have” (such as a security token or a biometric identifier like a fingerprint) as well as “something you know” (a password), multi-factor authentication limits the usefulness of any credentials that attackers may have acquired or created, thereby restricting their ability to move laterally within the organization (see Figure 2).

Figure 2 Figure 2: Multi-factor authentication can help during the later stages of an attack by limiting the usefulness of any acquired credentials.

Limitations of Multi-Factor Authentication

However, multi-factor authentication isn’t cheap. It can be costly to implement, and it can also be costly in terms of the user experience, adding a layer of complexity that disrupts legitimate user activity, increases frustration, and hurts productivity. Moreover, multi-factor authentication isn’t infallible, and the following shows that attackers are increasingly evolving to circumvent more and more 2FA methods

Example of Added Labor Costs from Daily Authentication Disruptions

You may think those multiple daily disruptions to users don’t cost anything other than frustration but consider this: If you could save users 2 minutes a day by implementing single sign-on and adopting adaptive authentication, which only requires an MFA disruption if risk is present, for a 5000 person organization with an average salary of $50K/year – the organization saves over a million dollars a year in lost user productivity/labor. That is significant every year savings. Customize the calculations to better represent your organization.

Calculate Savings

One-Time Passcodes

The most common way to add 2FA is to require users to provide a one-time passcode (OTPs) during the login process. OTPs can be displayed on hardware tokens; sent via SMS, a telephone call, or email; or generated in a mobile application like Google Authenticator, Duo Mobile, or SecureAuth Authenticate. But attackers can — and do — intercept OTPs using a variety of techniques:

It’s relatively easy for an attacker to trick someone into giving up their username, password, and one-time-passcode. IBM Security Intelligence4 first reported on the use of real-time phishing in 2010; even back then, the technique was already being used in 30 percent of attacks against websites using 2FA. (FireEye recently released a tool called ReelPhish5 to help organizations assess their vulnerability to realtime phishing attacks.)

Using mobile-based malware to obtain OTPs is not new, either. In the 2014 Emmental6 attacks on Swiss and German banks, attackers leveraged malicious code to scrape SMS OTPs from customers’ Android devices and gain access to their bank accounts. More recently, attackers used the Bankosy Trojan7 and call forwarding to obtain voice-based OTPs.

Attackers also use an inherent weakness in Signal System 7 (SS7), the protocol that allows carrier networks to communicate, to intercept OTPs in SMS messages and voice calls. For example, attackers in Europe7 used this method to obtain access to victims’ bank accounts. The SS7 weakness was one of the driving forces behind NIST’s original proposal8 to phase out SMS-based OTPs.

Phone number porting fraud

Attackers use social engineering to obtain a victim’s personal details; then they use that information to convince a cellular company to either issue them a new SIM card or move the victim’s phone number to a SIM card they control. T-Mobile recently warned customers to be vigilant about the increased use of this attack vector.

See how attacker uses social engineering to overtake a phone account in less than 2 minutes

Push-to-accept

This 2FA mechanism relies on the user hitting ‘accept’ or ‘deny’ during the login process. Attackers bombard users with push-to-accept requests until they finally hit ‘accept’ to make the requests stop — and the attacker gets into the network.

David Kennedy (white hat pen-tester) claims at Def Con 22 that he got legitimate users to hit “Accept” 6 out of 6 time while not actually authenticating - 100% success rate

White 2FA still has merit, complimenting it with adaptive authentication strengthens identity protection with no disruption

Knowledge-based Q&A

We’ve all been asked “security questions” and it’s something like.... Street you grew up on? Name of first pet? 1st grade teacher’s last name? The problem is that users put too much information out on social media, where answers to those questions could be easy for an attacker to uncover.

While 2FA still has merit, complimenting it with adaptive authentication strengthens identity protection and can provide the confidence to not even require a 2FA disruption.


Adaptive Authentication

Understanding Adaptive Authentication

Fortunately, there is a way to thwart attackers who are trying to circumvent 2FA: adaptive (risk-based) authentication. Adaptive authentication enables an organization to create rules that determine whether and how a given authentication process should proceed based on risk analysis. Adaptive authentication techniques can analyze information such as:

Look at characteristics of an endpoint device, whether it’s a Windows or Mac based machine or a mobile device. May also include looking at risk/authentication at servers.

Compare a user’s physical location against known good or bad locations. (e.g. if we have no employees, customers, contractors, or partners in a particular geography, why would someone be trying to access from that location?)

This could be white/black lists of known good/bad IP addresses and/or looking for an anonymous proxy like Tor (why would a legitimate user be trying to hide their IP?). This could also include checking IPs against sources of known malicious IP addresses where no authentication request should ever originate from.

Seeking irregularities in behavior give clues to attackers impersonating legitimate users. (e.g. successfully logging-in from New York and an hour later attempt to log-in from California is impossible; User A never logs-in remotely past 7pm, yet in the past week, they have logged-in three times all later than 7pm).

You may have 3rd party systems that also analyze risk.Think Identity Governance and Administration (IGA), User and Entity Behavior Analytics (UEBA), and Security Information and Event Management (SIEM) that could provide risk information to be considered in an authentication process.

While each of these techniques on its own could be circumvented, combining several or all of them offers a powerful solution. Security is about layers, and adaptive authentication does exactly that — it uses layers. Like layers to a bulletproof vest, the more layers, the greater chance of stopping a bullet or in our case an attacker. Using multiple pre-authorization risk factors, a risk profile can be built and used to determine whether and how a particular user should authenticate.

Those Steps Could be:

  • Deny access
  • Allow without an MFA
  • Require an MFA step
  • Force a password reset
  • Redirect to a honeypot or other safe zone

Automated actions to certain identity-based conditions save time, enlightens users, and reduces human interactions, which always introduce errors and risk.

Figure 3: Like multi-factor authentication, adaptive authentication can thwart an attacker’s ability to move laterally and escalate privileges inside the organization.

Replacing or Complementing Multi-Factor Authentication

Adaptive authentication can be implemented either as an alternative to multi-factor authentication, or as a complement to it:

  • Some forms of adaptive authentication, such as device recognition, can constitute multi-factor authentication, although this is a debatable point.
  • Adaptive authentication can be used in conjunction with multi-factor authentication, reducing the burden on users by requiring multi-factor only when a login is deemed to involve a certain level of risk. For example, in such a “step-up” approach, if location data together with IP address and device raises sufficient suspicion about a particular authentication request, rather than simply denying the request outright, the system can require multi-factor authentication.

Techniques for Adaptive Authentication

Organizations can tailor adaptive authentication to achieve the level of security they deem appropriate by combining some or all of the risk-based authentication techniques mentioned earlier. Let’s explore each one in further detail:*

Device

Device Recognition
Device recognition is typically a multi-stage process: On first-time authentication, the solution registers an endpoint, and on subsequent authentications, it validates the endpoint against the stored device profile.

This profile comprises a set of 34 different characteristics about the device, such as:

  • Operating System
  • CPU Information
  • Web browser configuration
  • Language
  • Installed fonts
  • Browser plug-ins
  • Device IP address
  • Screen resolution
  • Browser cookie settings
  • Time zone

Endpoint MFA and Adaptive Authentication

Some vendors offer enhanced protection for devices, enabling organizations to increase security on the device by requiring a multi-factor authentication step and/or adaptive authentication. These security techniques are invaluable for shared resources (devices that are accessed and used by multiple users).

Phone Number Fraud Prevention
Includes four prevention features:

Attackers will spam authentication software attempting to guess a real one-time passcode (OTP). With SecureAuth, administrators can regulate the number of OTPs allowed and block or lock a violating account for a specific time period.

Attackers can port legitimate phone numbers to new devices and attempt to use in an authentication process, impersonating a real user. SecureAuth can prevent authentication from newly ported phone numbers until verified as legitimate.

All phone numbers are associated with a specific network carrier and we can detect which carrier via the phone number. For example, if you have no employees, partners, or customers in China, you can block carriers/phone numbers in that country from attempting access.

All phone numbers are associated with a class of phone (e.g. VoIP, mobile, landline, etc) and we can detect what class of phone a specific number is. For example, attackers often impersonate phone numbers via use of a virtual or VoIP phone and you can block those numbers from authentication attempts.


Location

Adaptive authentication can compare a user’s current geographical location (a meaningful, physical location) against known good or bad locations and act accordingly. For example, users on a campus location can be approved without an MFA step while users attempting to authenticate from outside of the campus can be required to take an MFA step.

IP Address

You can create lists of know good or bad IP addresses. For example, users authenticating from a specific known good IP range will have less authentication disruptions, while attempts from known bad IPs (e.g. black listed) could be denied or required to pass additional authentication steps.

Anonymity networks or anonymous proxies, like Tor, are meant to hide information that could be used to help identify a user. Most organizations want to prevent access attempts from these networks because more often than not they are used for malicious reasons.

Adaptive authentication can also utilize the SecureAuth Threat Service which integrates multiple different providers of threat intelligence and threat information to cast a wider net and provide best-in-class protection. This service provides the ability to identify authentication requests coming from known bad IP addresses. Beyond your typical IP reputation feed, our threat services provide actionable intelligence available on a given threat (e.g. intent, infrastructure, risk factor). Customers can use this authentication-specific information to cut through the noise and aid Security Operations Center (SoC) staff and incident responders alike, so they know what to focus on during an investigation.

Figure 5: Adaptive authentication can deny access based on source IP reputation data, even if the user provides valid credentials.

Behaviors

This could be simply combining context and logic, for example if a user logs in from New York and an hour later attempts to log in from California, it’s impossible and an indication of possible credential mis-use. Behavior can also be complicated and require machine learning and big data analytics.

Understanding typical behavior for every single user and being able to identify abnormalities can be an indication of an account takeover and attacker behavior. Odd behaviors like logging in at unusual times of day and week, changes in login success or failure, increases in application access activity can all be indicators of attacker actions, even insider threats.

Examples of behaviors that could indicate a threat

  • New or rarely used IP address
  • New or rarely visited country
  • Change in login success frequency
  • Change in login failure frequency
  • Increase in application login activity
  • Decreases in application login activity
Figure 6: By simply combining context and logic, adaptive authentication can deny access based on an improbable travel event.

Leverage Other Organizational Risk Information

There are lots of security solutions (e.g. UEBA, SIEM, IGA) as well as home grown fraud/risk systems which provide risk scores/analysis. Finding vendors who can consume and embrace these risk scores for user authentication only makes for a more holistic solution and integrated security blanket. Breaking down silos of threat information and unlocking and using that data cross organization, can only improve the overall security posture of the organization while gaining added value from existing investments.

Conclusion

Organizations cannot rely on preventative methods to keep attackers out. But you can tighten the net around attackers. Adaptive authentication is a powerful, layered approach that limits the ability of attackers to move laterally within your organization and use any credentials they compromise or create to steal valuable intellectual property, financial data, or other sensitive information.

Adaptive authentication can be tailored to your organization’s risk tolerance, enabling you to balance security with a better user experience. You can use several or all of the techniques detailed in this paper in concert to build a risk profile that determines how to handle an authentication request: allow, deny, force a password reset, redirect, or step up. Users are unaware of the adaptive authentication processes and are not burdened by multifactor authentication unless it is deemed necessary.