While breaches targeting identity as the initial attack vector are on the rise, with increasing success and significant financial and reputational damage inflicted, IdPs are quickly becoming the attack vector of choice. Attackers maximize the payload by infiltrating the most critical system in your organization designed to secure access to all your company and customer data.

The Threat in Context

Once a user with access to the organization’s IdP is compromised through an account takeover (ATO) attack, detection becomes increasingly difficult. The attacker gains persistence within the network, infiltrating multiple critical systems and applications. This enables them to cause damage over long periods of time.

One such attack recently compromised an IdP vendor through their customer support systems. The attack supposedly took place when a customer support user was logged in to their personal Google account and stored their username and password for their service account within Chrome. The attacker had compromised the employee’s Google account, thus gaining access to the credentials to the customer support system. Once access to the support system was gained, the attacker then used session tokens and cookies stored in the HTTP Archive (HAR) files (which were used to troubleshoot issues with the IdP) to access the customer’s network and deploy ransomware and/or exfiltrate data.

Another attack took place at a large entertainment and hospitality chain when an attacker used social engineering to gain access to information about a high-value target (user with privileged access to critical systems including their IdP). The attacker then contacted the IT support helpdesk requesting a reset of the high-value user’s MFA credentials. They provided all the required verification information obtained through the social engineering attack, enabling them to install their own MFA authenticator. The attacker was able to establish persistence within the organization’s network, gaining access to critical systems.

Securing Access to IdPs and Taking a Layered Approach

These examples showcase the need to secure access to IdPs with high assurance authentication. Privileged and high-value users with access to critical systems must use a high assurance passwordless authentication mechanism such as X.509 certificate-based authentication (CBA) when authenticating themselves. Enforcing CBA for users as well as devices ensures that the user is not logging in to critical systems on an unmanaged device. By enforcing CBA and eliminating passwords, organizations can defend against common identity-based attacks such as phishing and MFA bypass targeted at their privileged users. In addition, taking a layered approach to security is recommended, with risk-based adaptive access that can evaluate contextual information to dynamically grant or block access based on risk levels when authenticating to an application or service.

As we saw with the attack on the large entertainment and hospitality chain, protecting against these attacks during authentication is not enough; the processes of user registration or password/MFA reset requests must also be secure. By implementing identity proofing through identity verification of physical credentials such as passports and driver’s licenses, organizations enhance their security protocols. This is particularly valuable in processes such as resetting MFA credentials, registering or onboarding new users, or implementing step-up authentication for out-of-policy users or high-value transactions. By adopting these measures, organizations can further protect their critical systems and their existing IdP.

In addition to the above steps, organizations with on-premises environments can also secure their IdP with the use of hardware security modules (HSM) that provide enhanced security for securely storing keys, secrets, and tokens.

To learn more about how you can implement CBA or identity verification with Entrust IDaaS as part of your strategy to secure your most privileged and critical users, start a free trial of the platform today.