Tech Features

Making Sense of Identity Threat Risks

Published

1 year ago

on

By David Warburton, Director, F5 Labs

The growing maturity of cloud computing, including shifts towards decentralized architectures and APIs, has highlighted the complexity of managing credentials in increasingly interconnected systems. It has also underlined the importance of managing non-human entities like servers, cloud workloads, third-party services, and mobile devices.

F5 Labs’ 2023 Identity Theft Report defines identity as an artifact that an entity uses to identify itself to a digital system – such as a workload, a computer, or an organization. Examples of digital identities include username/password pairs and other personally identifiable information or cryptographic artifacts such as digital certificates.

Digital identities cannot stand on their own. They require a system to accept and validate them. In other words, for a digital identity to function there must be at least two parties involved: an entity and an identity provider (IdP) that are responsible for issuing and vetting digital identities. However, not all organizations that provide resources are IdPs—many digital services rely on third-party IdPs such as Google, Facebook, Microsoft, or Apple to vet identities.

Based on our recent analysis, the three most prominent forms of attack in the identity threat arena currently are credential stuffing, phishing, and multi-factor authentication (MFA) bypass.

Credential stuffing

Credential stuffing is an attack on digital identity in which attackers use stolen username/password combinations from one identity provider to attempt to authenticate to other identity providers for malicious purposes, such as fraud.

It is a numbers game that hinges on the fact that people reuse passwords,
but the likelihood that any single publicly compromised password will work on another single web property is still small. Making credential stuffing profitable is all about maximizing the number of attempts, which requires automation.

Phishing

Phishing is perhaps rivaled only by denial of service (DoS) attacks in being fundamentally different from other kinds of attacks. It is an attack on digital identity, to be sure, but since it usually relies on a social engineering foothold, it is even more difficult to detect or prevent than credential stuffing.

Phishing attacks have two targets: there is the end user who is in possession of a digital identity, and there is the IdP, which the attacker will abuse once they’ve gotten credentials. Depending on the motives of the attacker and the nature of the system and the data it stores, the impact of a successful phishing trip can land primarily on the user (as in the case of bank fraud), solely on the organization (as in the case of compromised employee credentials), or somewhere in the middle.

On the attacker side, phishing can range from simple, hands-off solutions for unskilled actors to custom-built frameworks including infrastructure, hosting, and code. The most hands-off setup is the Phishing-as-a-service (PhaaS) approach in which the threat actor pays to gain access to a management panel containing the stolen credentials they want, and the rest is taken care of by the “vendor.”

Dark web research indicates that the most popular subtype of phishing service is best described as phishing infrastructure development, in which aspiring attackers buy phishing platforms, infrastructure, detection evasion tools, and viable target lists, but run them on their own.

Brokering phishing traffic, or pharming, is the practice of developing infrastructure and lures for the purposes of driving phishing traffic, and then selling that traffic to other threat actors who can capitalize on the reuse of credentials and collect credentials for other purposes.

Finally, the attacker community has a niche for those who exclusively rent out hosting services for phishing.

The most important tactical development in phishing is undoubtedly the rise of reverse proxy/ man-in-the-middle phishing tools (sometimes known as real-time phishing proxies or RTPPs), the best known of which are Evilginx and Modlishka.  This is largely because it grants attackers the ability to capture most multi-factor authentication codes and replay them immediately to the target site facilitating MFA bypass but also making it less likely that the user victim will detect anything is amiss.

Multi-factor authentication (MFA) bypass

Recent years have seen attackers adopt a handful of different approaches to bypassing multi-factor authentication. The differences between these approaches are largely driven by what attackers are trying to accomplish and who they are attacking.

Nowadays, the reverse proxy approach has become the new standard for phishing technology, largely because of its ability to defeat most types of MFA.

MFA bypass tactics include:

  • Malware. In mid-2022, F5 malware researchers published an analysis of a new strain of Android malware named MaliBot. While it primarily targeted online banking customers in Spain and Italy when it was first discovered, it had a wide range of capabilities, including the ability to create overlays for web pages to harvest credentials, collect codes from Google’s Authenticator app, capture other MFA codes including SMS single-use codes, and steal cookies.
  • Social engineering. There are several variations of social engineering for bypassing MFA. Some target the owner of the identity, and some target telecommunications companies to take control of phone accounts.
  • Social Engineering for MFA Code—Automated. These are attacks in which attackers make use of “robocallers” to make phone calls to the target, emulating an identity provider and asking the victim for an MFA code or one-time password (OTP).
  • Social engineering for MFA code—Human. This is the same as the above approach except that the phone calls come from humans and not an automated system.
  • SIM swaps. In this kind of attack, a threat actor obtains a SIM card for a mobile account that they want to compromise, allowing them to assume control of the victim’s phone number, allowing them to collect OTPs sent over SMS. There are several variations of this approach.

So, what does it all mean?

Identity threats are constant and continuous. Whereas a vulnerability represents unexpected and undesirable functionality, attacks on identity represent systems working exactly as designed. They are therefore “unpatchable” not only because we can’t shut users out, but because there isn’t anything technically broken.

This brings us back to the question of what digital identity really is. To go from real, human identity to digital identity, some abstraction is inevitable (by which we mean that none of us is reducible to our username-password pairs). We often teach about this abstraction in security by breaking it down to “something we know, something we have, and something we are.” It is this abstraction between the entity and the digital identity that attackers are exploiting, and this is the fundamental basis of identity risk.

By thinking about digital identities in this way, what we are really saying is that they are
a strategic threat on par with, but fundamentally different from, vulnerability management. With nothing to patch, each malicious request needs to be dealt with individually, as it were. If modern vulnerability management is all about prioritization, modern identity risk management is essentially all about the ability to detect bots and differentiate them from real human users. The next logical step is quantifying the error rate of detecting these attacker-controlled bots. This is the basis on which we can begin to manage the risk of
the “unpatchables.”

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version