This is the second in a three-part series taking a look at the need to focus upon the security issue post-authentication. The first article focused on the issues with fragmented identity.

IAM is more than authentication

• Need to Consider E2E IAM Journey
• MFA and Passwordless Adoption Still An Issue Too

Identity and access management (IAM) is a sprawling and complex set of capabilities, personnel and integrated processes. It is more than authentication. Yet, the login phase is often targeted as the central control point from a security perspective. From an administrative angle, authentication provides numerous options to implement a trust gatewaytrust-gateway analyzing identity, device, location and threat intelligence data in one operation. The end user, of course, sees the “login box” as a simple component that is the doorway to the service, transaction of the piece of data they wish to access. The "login box" is often seen as the application, especially if it is not available.

But, as we know, authentication is much more than that of course and in today’s highly dynamic environments, provides a risk calibration function that allows downstream access, authorization and behaviour events to be placed in a more fine grained context. We can often think of it as the “first policy decision point (PDP)” if we steal from the authorization nomenclature. We can apply rules, analyze a broad array of signals, and implement an infinite set of branching steps and logic. The authentication "black box" tries to distinguish between humans and bots and ideally a level of trust with regards to their further intentions. However, we must recognize that authentication is only ever one part of the end-to-end identity journey. There are stages that need to be implemented before authentication takes place namely registration and storage (as well as verification, validation and proofing if necessary) as well as numerous stages that occur post-authentication. From session issuance, token creation and federation services through to access control, authorization and behaviour analysis. Application access, transaction processing and data sharing all take place once the “login box” has been traversed. To integrate and apply security to those downstream functions is complex, nuanced and often contains blind spots.

Recent innovations in the past 5 years have finally provided an array of technology counterpoints to the inefficiencies of passwords and static shared secrets. The FIDO Alliance supporting initiatives such as WebAuthn and Passkeys support numerous different identity types and use cases with strong, phishing-resistant ways to authenticate end users. However, we are still not seeing 100% rollout and enrollment. B2E workforce communities often have numerous different strong authentication modalities and B2C environments often see strong authentication as an option not a necessity. To that end, we start to see the worst of both worlds: IAM security controls overly focus on authentication, yet strong authentication is still not a complete solution. Phishing attacks are still prevalent, but in addition adversarial activity is also focusing beyond the login box from manipulating permissions and privilege misuse to session hijacking, interception and replay attacks.

Why post-login analytics is critical

• Attackers Pivot to Weakest Part of IAM Chain
• Session Compromise Risk Increasing

As IAM has moved to become a strategic enabler of security, productivity and revenue generation, all parts of the IAM life cycle are vulnerable to adversarial attacks. Attacks on the IAM infrastructure, data and policy are varied, continually evolving and complex to detect and defend against. Attackers will always pivot to the weakest part of the security chain and many IAM deployments have not been built for security from the onset. B2E workforce identity was traditionally focused upon employee productivity and compliance. The joiner-mover-leaver (JML) processes often centered around enterprise directories like Novell or Active Directory were not designed to detect or prevent complex attacks.

The B2C customer and citizen identity space is focused upon personalization and user experience (UX) and getting users to complete a purchase or access content as quickly and simply as possible using one-click on-boarding and omni-device access flows. As a result, sign-up fraud, avenues for financially motivated cybercrime, and manipulation of public-facing login flows are subject to continual malicious activity.

We also need to consider non-malicious or almost accidental exploitation of identity vulnerabilities. Excessive permissions, ghost accounts and overly inhibitive controls can result in staff behavior that goes against security best practices. In the B2C world, account sharing on subscription platforms is common but in turn, it is therefore difficult for service providers to identify malicious activity against an account or simply a family member logging into a gaming or media platform from a different device or different location with consent.

Many of these exploitation patterns do not necessarily rely on attacking the login and authentication processes. Many leverage secondary and downstream vulnerabilities that exist within the post-authentication data flows. A simple overlay of TTPs from MITRE ATT&CK could highlight Lateral Movement via Remote Services (T1021), Abuse of Privileged Accounts (T1078.003 / Privilege Escalation Techniques), Valid Accounts (T1078), Account Manipulation (T1098) or Access Token Manipulation & Session Hijacking (T1134 / T1550) as significant vectors that require a different approach to both detection and protection.

This latter point looking at session hijacking is becoming increasingly powerful as an adversarial vector. Adversaries are not necessarily “breaking authentication”, they may just be bypassing it entirely. Post-authentication activity will see the issuance of some sort of possession-factor artefact an OAuth2 access token, SAML assertion, OIDC id token or a proprietary web cookie. These essentially act as proof of some sort of authentication event or in the case OAuth2 consent and access issuance. Either way, possession of the token essentially means a possession of trusted activity. How are these artefacts under threat? Browser malware and attacks against local session storage, adversary in the middle (AiTM) or cross site scripting (XSS) are mature and well used methods. The end goal is to capture token and cookie material - and potentially manipulate - before simply re-using. All of these methods entirely avoid authentication controls. Regardless of how the user logged in, possession of token material entirely negates those checks.

How to reduce runtime risk

• Identifying Authorized vs. Compromised
• Augmenting and Improving Static Indicators of Compromise

We are starting to see a cascading effect of risk. A suboptimal strong authentication coverage position, multiplied by increasing attacks downstream are allowing internal and external adversaries to perform malicious activities. The first step to reducing risk, identifying malicious behavior, and putting countermeasures in place is to acknowledge there is an issue. This helps to build internal awareness, improve risk and threat analysis phases and ultimately move to a more secure-by-design approach to designing identity services and the applications that rely on them. Whilst upstream authentication controls can be improved, they need to be considered as part of an overall end-to-end identity security play or “unified identity fabric”.

We could also aim to consider breaking down the identity life cycle into some subtle stages: pre-authentication, authentication, post-authentication, authorization and authorized. Even these five could likely be broken down further. Post-authentication is about binding any possession artefacts (tokens, cookies) against browsers, devices and local storage. Immediate downstream access should be comparing the authentication context with the current environmental context and essentially looking for change. Access policy comparison is clearly table stakes, but further analysis against historical access and comparison against both known TTPs and also potentially unknown statistically significant patterns of behavior are too.

Known indicators of compromise (IoC) are tied to threat actor groups perhaps nation states and cover the network, endpoint, identity and behaviour associated with malicious activity. Ofcourse leveraging rule-centric ways of analysis is likely to result in blind spots, namely as IoCs are also known by malicious actors allowing them to change the IP addresses, user-agents and malware files they use. Alongside changes to tradecraft, they can repeatedly and iteratively slip past decision points. It is important, therefore, to leverage a more composite approach taking into consideration multiple data points and looking at threshold-based approaches to risk. From an identity and account point of view the following are important starting points:

1. MFA device enrolment changes (especially if device make changes too, going from Apple to Android for example, which is quite rare in real life)
2. New standard account creation and short time after subsequent deletion
3. New administration account creation attempts
4. Account recovery changes such as email or SMS contact number
5. Rapid rise in access requests, often “testing” access and permissions
6. Personal cloud access patterns have they changed?
7. Long-lived tokens seeing a spike in usage
8. Unusual OAuth2 content flows scope volume and variety
9. Reactivation of disabled accounts
10. Dormant accounts associated with new permissions

This is just a basic top 10 and any mass scale enumeration and scanning activity should be treated suspiciously too - especially as it pertains to accounts and permissions. All of the above should be detectable as ITDR use cases.

Summary

As IAM becomes a strategic enabler for business change, it will and is becoming the main target for internal and external adversarial behaviour. Whilst improving security controls before and during authentication, it is becoming increasingly vital to improve detection, protection and response activities during session issuance and downstream system access. Continuous runtime analysis and composite approaches to identity risk can help to reduce both likelihood and impact of attacks against sessions and access control functions.

‍