Original Article

Attackers no longer need zero days to get access to systems - they simply login. Whether through bypassing MFA, hijacking sessions, or simply brute-forcing passwords, almost every successful attack targets our identities. These increased attacks are fueled by a massive expansion in identity attack surfaces, which have grown exponentially through the adoption of remote work, the shift to the cloud, and ongoing digital transformation efforts. Unfortunately, IT and security leaders are largely unaware of the security risks that stem from this identity sprawl. This research paper analyzes the attackers targeting identities and current trends in identity posture. Through a comprehensive analysis of the latest research and real-world case studies, we aim to shed light on the challenges organizations face in securing their IAM systems and provide insights into best practices for mitigating these risks…

The Cyber Hut Comment: A long read report by ITDR startup oort.io. The report focuses on analysing data from some 500,000 identities from various different identity providers such as Okta and Azure AD and comparing that data against threat detection rules designed by Oort.

Some initial stats to headline the report include the old adage of poor MFA adoption - some 40% of all accounts analysed didn’t have MFA deployed. Another interesting stat - albeit perhaps an obvious one - is that admin accounts are 3 times more likely to be probed than normal end user accounts. A third headline stat - was that 24% of all accounts are dormant - aka not being used, yet are active and could be used by an adversary.

The report goes on to describe some of the emerging identity threats organisations must face. This includes brute force (password spraying, credential stuffing), dormant account management (organisations know about it, yet either can’t or don’t necessarily fix it..) through to specific identity attacks against executives (where the risk reward ratio can be very high for the adversary).

Session hijacking also gets a mention - where newer techniques involve not only stealing cookies and other bearer based session material, but also stealing the device fingerprint meta-data too - allowing adversaries to mimic trusted devices based on their browser configurations. Clearly reducing session length can help here, as well as techniques to identify parallel session usage (two devices using the same session).

The report continues with a focus on MFA - issues with fatigue, weaknesses in the credential reset phase and flooding vulnerabilities.

An interesting report that continues to highlight the issues at all parts of the identity and access management life cycle - from identity profile and persistent data, through to authentication and authorization weaknesses. Many of these vulnerabilities can be managed through automated identification and sensible risk management when exceptions are identified.

This is an area The Cyber Hut recently discussed at the IAM Tech Day, where the need for an Identity Threat Assessment Framework was discussed.