About Identity, Part 2: Three Common Identity Attacks
In the second of this three-part series, I identify common identity-related attacks to be aware of, both as an enterprise that needs to safeguard users and customers from identity theft, and as an end user consuming online services and apps on your computer, smartphone, or other device.
In my first blog post, I shared real and potential incidents that underscore the importance of protecting identity, both in the physical and online realms.
Now, I will share 3 common identity related attacks and recommendations for how to mitigate risk:
- Spear phishing (also known as man-in-the-middle, credential interception) — attacker sends a very targeted email to a specific organization or user to trick them into sharing sensitive information like passwords, usernames, and credit card details for malicious reasons. The email will be carefully crafted to get the immediate attention of and increase probability of attacker success. This attack preys on users’ temptation and naivete to rapidly click and view an email that appears at a quick glance to be legitimate but is not. Here is an example in which a Kenya-based criminal used spear phishing to commit fraud, siphoning nearly $750,000 US Dollars from its victim, the University of California San Diego (UCSD) in California, USA.
- Credential stuffing (also known as breach replay, list cleaning) — attacker uses automated scripts to try each known compromised credential (obtained from a data breach on one service) against a target web site. The reason this attack works is the majority of users reuse the same credentials for multiple accounts. Here is a recent example in which United States-based insurance company, State Farm, suffered from such an attack.
- Password spray (also known as guessing, hammering, low-and-slow) — attacker tries to access a large number of accounts (usernames) with a few commonly used passwords. If lucky, the attacker might gain access to one account from where they can further penetrate into the computer network. This method goes beyond just a brute force attack. The “issue” from an adversary's standpoint with using a brute force attack is that systems can be locked down after a certain number of attempts with different passwords, and a system lockdown will alert administrators about the attack. Even with a password spray attack, the attacker takes care to execute the attack with a “low-and-slow” approach, to avoid detection. For example, if they tried to apply password “abc” to all the user accounts, they will not start applying another password “xyz” to those accounts just after finishing the first round. They’ll leave a gap of time (e.g. minimum 30 minutes) between these attempts. Here is an example in which well-known, American multinational software company, Citrix, was likely the victim of a password spray attack, according to the Federal Bureau of Investigation (FBI).
From an adversary standpoint, the motivation is the same regardless of the attack method: to get hold of valuable information for perpetrating further damage.
If you have been reading this post so far, then you should be convinced that passwords are a highly vulnerable form of authentication and are compromised frequently. According to my colleague, Alex Weinert who works in the Identity Division at Microsoft, “When it comes to composition and length, your password (mostly) doesn’t matter.” He articulates why you cannot rely on a purely password-based authentication method alone to protect your identity.
If you work in IT Security, Identity Protection, or in a similar role at an organization that uses Microsoft Azure Active Directory identity services, you can take the 5 recommended steps described in this article to secure your organization’s identity infrastructure:
- Strengthen your credentials — Given the frequency of passwords being guessed, phished, stolen with malware, or reused, it’s critical to back the password with some form of strong credential. Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules, and protect against leaked credentials and add resilience against outage. Also, if applicable, implement Active Directory Federation Services (AD FS) extranet smart lockout. Take advantage of intrinsically secure, easier to use credentials, such as a biometric.
- Reduce your attack surface area — Given the pervasiveness of password compromise, minimizing the attack surface is critical. Eliminating use of older, less secure protocols, limiting access entry points, and exercising more significant control of administrative access to resources can help.
- Automate threat response — Azure Active Directory has many capabilities that automatically intercept attacks, to remove the latency between detection and response. You can reduce the costs and risks, when you reduce the time criminals use to embed themselves into your environment.
- Increase your awareness of auditing and monitoring — Auditing and logging of security-related events and related alerts are essential components of an efficient protection strategy. Security logs and reports provide an electronic record of suspicious activities and help detect patterns that may indicate attempted or successful external penetration of the network, and internal attacks. You can use auditing to monitor user activity, document regulatory compliance, perform forensic analysis, and more. Alerts provide notifications of security events.
- Enable more predictable and complete end-user security with self-help — As much as possible you’ll want to balance security with productivity. Along the same lines of approaching your journey with the mindset that you’re setting a foundation for security in the long run, you can remove friction from your organization by empowering your users while remaining vigilant.
Last but not least, consider how to protect yourself as an end user, whether you are working, studying or just consuming online services and apps for your personal needs.
Here are 5 basic things to consider to minimize risk to your identity:
- Exert caution when opening emails and clicking on links in emails to avoid phishing scams. According to Microsoft Security Intelligence Report based on security research by the Identity team, there has been a significant (> 100%) increase YoY between July 2018 and July 2019 in the volume of emails associated with phishing. Spear phishing emails are craftily designed by a cyber criminal to trick the victim into believing they are real and can be trusted. Do you remember having received an email from a bank or a friend requesting some personal information such as name, phone number or other, but was actually fraud? These messages can appear very real and will trick anyone who is quickly viewing and not taking the time to assess before clicking a link or opening an attachment or image embedded into the email.
- Do not reuse passwords across services. Use different and “uncommon” passwords especially for critical accounts related to financial (banking, insurance, credit card, etc.) and healthcare services, since these tend to be the most desirable and valuable to a would-be adversary. Do not use the same passwords for those highly critical services and more frequented social and email services since if that password is breached, the adversary is likely to try reusing it for your other, including financial, accounts — remember the credential stuffing attack explained earlier?
- Use multi-factor authentication, especially when accessing high risk service accounts such as financial, healthcare and others, to reduce the probability of an attacker compromising your identity using just a single factor such as a password. On a positive note, I have personally experienced banking institutions offering or even expecting by default a user PIN or biometric along with the username instead of a password. Two or more factors for authentication help minimize risk, because it is much harder for someone to impersonate you and successfully bypass multiple security factors (PIN and biometric, physical card and PIN, etc.).
- Do not store passwords. Where there's a will, there’s a way and adversaries will try anything and everything to get hold of your identity. Even if you are tempted to store account information in a notepad, spreadsheet or similar, don’t. If an adversary successfully breaks into your machine, then the likelihood of them having your identity already is very high anyhow so why would you want to make it even easier for them to do more damage by publishing your passwords?
- Do not use passwords, if possible. Instead of passwords, consider alternative methods for authentication if possible — if supported by the service provider. For instance, using some type of a biometric, such as iris of the eye, fingerprint, or face, to log into a service, an app, or device is far easier and harder to crack.
Stay tuned for Part 3 of this About Identity series! Remember that from an adversary standpoint, the motivation is the same regardless of the attack method: to get hold of valuable information for perpetrating further damage. Your goal is to make their job as difficult as possible.