Tracking the growing problem of identity-based attacks

Teleport’s Ben Arent on the challenge of keep up with criminals as they hop from system to system

Attackers, rather than trying to strong-arm their way into systems, increasingly use valid credentials to gain control of sensitive information or systems, with business email compromise is now a precursor to many forms of cyberattack.

Compromised credentials are easy to get hold of, and once in possession of a valid ID or token, sophisticated attackers can swiftly hop from platform to platform, spawning new identities at will.

This presents several problems for defenders, among them:

Validity of identity. Compromised IDs are perfectly valid and skilled attackers will use them in a way that allays suspicion.

Identity sprawl: Organisations rely on multiple interconnects cloud services, platforms and providers and tracking identities across this landscape is hard. Even when using centralised identity providers, users can still create multiple sub-identities and tokens across different systems, making it difficult to maintain visibility into actual access patterns.

Speed of lateral movement: Attackers can quickly move from one platform to another, exploiting gaps in visibility between monitoring tools.

Standing privilege: Administrators frequently forget to remove privileged accounts once they are no longer required.

Non-human actors: Automated tools are being granted identities and privileges by their users. Human and non-human actors may be hard to tie together.

Computing spoke to Ben Arent, director of product at identity security company Teleport, about the telltale signs that identity is being abused and about the difficulty in keeping up with identities as they travel across platforms and geographies.

From a visibility point of view, he said, the main problem is that audit logs are siloed within their platforms. Traditional tools do not allow querying across infrastructure silos, or if they do it’s at too slow a pace to keep up with the attackers.

“They get access to a system, and then they quickly pivot to another system. They use a valid credential, and then they hide within that infrastructure. And then once they're within that infrastructure, it can be much harder to detect.”

Identity platforms (IdPs) such as Okta centralise identities across applications, but not across infrastructure such as an S3 bucket or a database, said Arent. In addition, within IdPs users can create other sub-users that are difficult to track.

“You have traditional SIEMs and log aggregations, but they are not particularly good at making the connections and the relationships between things.”

How attackers obscure their real identity

Attackers in possession of compromised credentials have a host of tried and trusted techniques to avoid raising the alarm as they traverse systems probing for weaknesses.

They may use VPNs or proxy servers to hide their true location, They might hop to other compromised identities within an organisation to break the trail, perhaps exploiting shared service accounts or passwords that make attribution difficult, or using non-human identities such as service accounts or APIs that are typically monitored less stringently.

They will seek to blend in with other users, operating during normal business hours and mimicking typical behaviour patterns to evade anomaly detection systems, and they will time their activities to avoid triggering rate limits or volume alerts.

Non-human actors such as AI systems may also be used to speed things up, with users delegating their credentials to an agent in ways that may be hard to follow, said Arent.

“From the identity security perspective how can you distinguish someone using a tool versus using a tool via AI agent?”

Telltale signs of identity-based attacks

But these attempts at obfuscation all leave a trace, so long as you know what to look for and have access to the requisite logs.

For example, using a VPN or proxy can create “impossible travel patterns”, when a user logs in from two geographically distant locations within an impossibly short timeframe.

There may be cross-platform movement chains where attackers create a detectable pattern of access across different platforms. There may be failed authentication attempts, unusual permissions requests, or attempts to escape from assigned containers or namespaces to gain broader system access.

And non-human actors leave their own signals, said Arent - although the picture is changing rapidly. “I think the second wave will be you [tell the agent] ‘come back in, like a week, do these various things.’”

Staying ahead of the hackers

Security companies like Teleport conduct red-team-blue-team sessions to discover hidden identity vulnerabilities and blindspots, building playbooks and automations according to what they find.

But defenders will always be on the back foot.

In the race to chase identities across platforms and timezones, the attackers will have the advantages of speed and surprise. However, despite the onward march of technology, it’s still about getting the fundamentals right, said Arent. He related a story of two senior engineers who, in recognition of the high risk of their being compromised, were forbidden even to fly together, but who nevertheless were both found to have full write access to all the company’s GitLab repos.

“When we showed them that they were like, oh yeah, I guess we should have put better guardrails in there.”

So it’s still about MFA, principal of least privilege, zero trust and ensuring that, as far as possible, you have visibility into the systems you are using. But new AI-equipped tools can be used by defenders to detect anomalies and correlate seemingly unrelated events to build a coherent picture of an attack.