Organizations must adopt new methods to improve their Identity and Access strategies now more than ever. In recent months, attackers have used new methods to defeat legacy authentication methods and orchestrate massive data breaches. New strategies are needed to strengthen MFA, limit access, and detect threats.
New Authentication Attacks
In a recent wave of cybercrime, a ruthless ransomware gang, believed to be associated with either ShinyHunters or Scattered Spider, has launched attacks on two major corporations. These attacks underscore the escalating threat posed by cybercriminals and the criticality of robust data security measures.
MGM Resorts Ransomware Attack: In September 2023, Scattered Spider was revealed to be involved in a high-profile attack compromising MGM Resort’s network through social engineering. They impersonated an employee to gain access to the help desk and, ultimately, the internal network. Once inside, they deployed ransomware, encrypting critical data and disrupting operations at MGM’s Las Vegas casinos. The attack forced MGM to shut down slot machines and caused significant financial losses.
Ticketmaster Breach: On May 28th, the group infiltrated Ticketmaster’s systems and stole a staggering 560 million customer records. This data breach likely included sensitive information like names, addresses, email addresses, and potentially even payment details. The criminals then uploaded the stolen data to BreachForums, a notorious dark web marketplace, and demanded a ransom of $500,000 to prevent its sale or further exploitation.
Santander Bank Breach: Two days later, on May 30th, the same gang struck again. This time, they targeted Santander Bank, a major Spanish financial institution. The attackers claimed to have stolen many customer records, an estimated 30 million. The ransom demand for this breach was set at a much steeper $2 million, indicating the potential value of financial data on the black market.
Anti-Phishing MFA
The Scattered Spider attacks showed that weak MFA (SMS one-time passwords) is extremely susceptible to attack. The use of social engineering or SIM swapping easily defeated that form of MFA. This highlights the need to adopt strong MFA methods. One of stronger forms of MFA today is FIDO2-based authentication.
FIDO2 is important because it offers several advantages over traditional MFA methods like SMS codes or authenticator apps:
- Stronger Security: FIDO2 relies on public key cryptography, which is considered more secure than traditional methods. Passwords and one-time codes can be vulnerable to phishing attacks or interception, while FIDO2 utilizes a private key stored on the user’s device that never leaves it.
- Reduced Phishing Risk: Since FIDO2 doesn’t involve passwords or codes transmitted over potentially insecure channels, it eliminates the risk of phishing attacks where attackers try to steal login credentials.
- Improved User Experience: FIDO2 authentication can be much more convenient than traditional MFA methods. It often involves a simple tap on a security key or fingerprint scan, eliminating the need to enter codes or retrieve them from a phone.
- Reduced Reliance on Phones: FIDO2 security keys can function independently of smartphones, making it suitable for situations where phones aren’t readily available or might be compromised by malware.
Organizations should begin deploying FIDO2 MFA to strengthen authentication strategies.
Restrict Access by IP
While MFA is an essential component of modern authentication strategies, IP-restricting management interfaces provide another very strong layer of protection. A trusted list of IP addresses can be created as long as users are located in discrete locations or using a VPN. Most cloud and SaaS providers allow access to be restricted by IP addresses. By enabling IP restrictions, even if an attacker defeats MFA, they still cannot access the account.
Microsoft Entra ID provides Conditional Access Policies that allow administrators to restrict access to applications by IP address granularly. Policies can also be combined with various MFA requirements to further restrict access.
AWS Identity and Access Management allows IAM Policies to be created to restrict access to the AWS Management Console.
Snowflake Network Policies and Rules can be configured to restrict access to both Snowflake Snowsight and Snowflake APIs.
Salesforce allows administrators to define Organization-wide Login IP Ranges via its security settings.
Identity Threat Detection and Response
Organizations need a robust system for constantly monitoring access to their applications. Analyzing log data and user activity and using services that combine these sources into a unified view empowers them to identify and prevent attacks, such as those recently targeting Snowflake.
Identity threat detection and response (ITDR) is a cybersecurity approach that protects user identities and identity-based systems from cyberattacks. It’s like a security guard specifically trained to spot and respond to threats targeting digital identities. ITDR is similar to SIEM but solely focused on identity-based attacks. Unlike SIEM, ITDR solutions can be rapidly deployed and integrated into an organization because of the reduced scope.
ITDR is primarily focused on the following:
Focus on Identities: Unlike traditional security measures that might prioritize devices or networks, ITDR prioritizes user identities as potential targets. After all, a compromised account can be a gateway to sensitive data and systems.
Detection Techniques: ITDR employs various methods to identify suspicious activities related to user identities. This can include monitoring user login attempts, analyzing access patterns, and detecting anomalies in data usage.
Response Strategies: Once a threat is detected, ITDR has procedures in place to respond quickly and effectively. This might involve isolating compromised accounts, resetting passwords, or notifying security teams for further investigation.
Organizations deploying ITDR are much more likely to identify and rapidly mitigate authentication attacks.
Reduce Attack Surfaces
Just as it’s important to strengthen authentication methods and the monitoring of logins, it is also important to diligently monitor organizational surface areas.
New SaaS systems must be integrated into the organization’s SSO to ensure accounts are centrally managed and MFA is in place. Likewise, integrating them into ITDR or SIEM systems facilitate proper monitoring.
Network access should be properly restricted in data center and Cloud IaaS environments to ensure management protocols like RDP, SSH, or SQL are not exposed to the entire Internet. Enforcing the use of VPN or private tunnels is equally important.
Hardening cloud platforms is also important to remove any weak authentication protocols that do not support MFA. In Microsoft’s Entra ID, this involves creating Conditional Access policies to block authentication protocols like ActiveSync, POP, IMAP, and SMTP.
Applications, including APIs, should utilize a Web Application Firewall to protect them from external threats and prevent the accidental exposure of endpoints.
Human and non-human accounts must be continuously reviewed. Accounts that are no longer needed, or access that has changed should be updated immediately. This keeps exposure limited to the immediate business needs.