Sheep in Wolves’ Clothing : How our IP based authentication rules need to change

This is a quick post on some thoughts on this problem and some ideas of how we may need to change. It is biased a bit towards Azure but the challenge and solutions I think are universal.

As always, would love your thoughts on this!

IP Based detection rules vs Commerical VPN Providers (Train Meme)

How IP based rules currently work and the problem

Phishing remains a large threat to organisations, and traditional mitigations such as MFA are now being defeated with relative ease.

• AITM — Adversary-in-the-Middle is seeing threat actors use tools like EvilProxy to steal Azure MFA tokens. The sites are often very convincing, pulling in branding imagery. (see blog post on this)
• Quishing (yeugh!) — users entering details may often be on a device such as their mobile (which may not have the same level of monitoring such as Web Proxy).

As such, without great visibility into the emails and subsequent URLs that are being clicked, we will have to rely on looking at details of the authentications we observe.

Currently one major way we can determine whether or not an external Authentication to our networks is legitimate vs a sign of account compromise, is to look at details of the IP Addresses.

We might look for or block on items such as:

• Impossible Travel — Someone logging in from geographically seperate places that would be impossible for someone to do
• Threat intelligence — Do we know that the connecting IP address is known to be “bad”
• Country based — Do the countries the IP addresses are line up with where we do business or where that user is based?

These are(were) all reasonably reliable methods of mitigating these suspect logins. There are a lot of other detection points raised in this article on AiTM from Microsoft.

However — the landscape has been shifting for a while, meaning we cannot rely on these, and a major reason is the rise of the general use of VPN services such as NordVPN.

VPN Services

According to this NordVPN Statistic We can see in the past 3 years growth in use to approximately 33.0% of American’s regularly using a VPN.

Year on year VPN use

This is no surprise, the marketing to the general public for VPN services is huge. Not to deliberately pick on NordVPN — but we can see it has reached the point that they are major sponsors of Football Teams as well as sponsoring influencers and more.

Liverpool NordVPN Sponsorship

Residential Proxies

Often the reason that people use VPNs is to try and access media from Countries they are not currently residing. For example, someone may want to watch a BBC program without being in the UK but they do not want to pay as they may need to if the BBC observes them coming from an IP in say France.

This leads to a cat and mouse game with the Media companies vs VPN providers. Users want to use VPNs and the Media companies will try and stop those. Traditionally that might have been relatively easy to block — the IPs when looked up will often belong to a data-center, and not an ISP that one would expect for a normal visitor.

Residential Proxies however have stepped in, these will often pay users to share their home IP with the” network”, allowing someone in another country to route their traffic via them, and so appearing to be just a normal user.

A quick google shows how wide they are:

Residential Proxies — Google

Why all of this is a problem to security teams

Due to the anonymity offered by both traditional VPN Services and Residential Proxies, they are favoured by threat actors, both Criminal and State. Users and Threats are now effectively indistinguishable from IP address alone.

This means that if we go back to some of our traditional methods of detection:

• Impossible Travel — Now a user could easily come from several geographically separate locations in a relatively short time.
• Threat intelligence — The threat actors may have came out an IP and been tagged as ‘malicious’ into a Threat Feed. The same IP may then be used by a legitimate user.
• Country based — Users may not always select the same country that they reside in for their exit point (admittedly, they probably will).

Possible solutions and potential drawbacks

So what are organisations to do? There are a few options to my mind including some of the options listed.

1. Enrolment of devices — By enrolling a device into the organisation, or by using other methods such as Client Certificates, we can have a stronger level of confidence in who is connecting. This is likely a lot of work and may be a challenge with BYOD. I would personally suggest this is the most robust method.
2. Organisationally blocking of VPNs — If we put aside just the technical challenge of blocking either VPNs or Residential Proxies (feeds are available for both), with the rise of the use of this by normal users, it may not be appropriate to have such a strong policy that is likely to frustrate. I don’t think this challenge is going away so I feel we need smarter solutions that this.
3. Verification — We may wish to verify with the user or their manager that they are using a VPN when we suspect. However, there are two potential issues I see here: Firstly, this could become a large amount of toil for a Security Team to do regularly. Secondly, ensuring that you are verifying with the user and not just the threat-actor.
4. Correlation —If we start to map out the likely actions an adversary will take once they’ve gained that initial access, we can start to overlay that with the context that they were using a VPN, e.g. a new forwarding rule or an unexpected Application being used to authenticate). In my view this is the best way we have to detect these, but it is critical we have other detections based on the behaviours a threat might exhibit once they’ve gained access. We also need some way to highlight a cluster of suspicious rules — something like Risk-Based-Alerting is suited to this but not all SIEMs will offer it.

Summary

The rise of VPN use by normal users means that IP alone is not enough in our detection and prevention methods. We must approach this challenge differently if we’re going to succeed.

I would really appreciate any other insights, especially any methods you’ve found that are effective here. I’d really love some first hand knowledge on the types of activities you found a Threat performed once they had access to an Azure account.