As the end of 2022 draws near, a growing number of companies are adopting or planning to adopt zero trust, according to a recent report by Okta. This is great news because identity-based zero trust access solutions can help minimize the number and blast radius of security breaches, which were still high in the past quarter.
How exactly can these access controls help? Let’s find out by reviewing 4 of the most prominent cyber attacks of Q3 2022 and then examining how similar attacks can be prevented by implementing identity-based access and connectivity.
This quarter’s most infamous cyber attack was the third party social engineering attack on Uber. In this breach, the attacker texted an Uber employee (reported to be an external contractor) and sent multiple multi-factor authentication (MFA) notifications, all while posing as an IT team member. Presuming that the MFA notifications were legitimate, the employee ultimately handed over their password. Then, the attacker used those credentials to phish additional employees, progress laterally in Uber’s internal system and gain deep access into internal databases, including their IAM solution: OneLogin.
In response to the breach, Uber blocked access or reset passwords to employee accounts that have been identified as compromised. Moreover, internal tools were disabled, the company rotated keys and locked down the codebase, and they are strengthening MFA and adding environment monitoring.
The full impact of this attack is still unknown, but it is thought that the attacker is connected to ransomware gang Lapsus$.
The Uber breach is what cybersecurity nightmares are made of: a combination of some of the riskiest modern vulnerabilities. These include social engineering that takes advantage of human weaknesses, risky third party contractors, and a legacy approach to the network perimeter.
Identity-based access takes a different and more modern approach to security. By continuously authorizing users and only granting access to authorized assets instead of to the entire network, the attack surface is reduced. In the case of Uber, three main identity-based access controls can mitigate the blast radius of similar events:
Cross-organizational MFA – Security hygiene demands MFA to be implemented across all applications and accounts, alongside device health validation. This ensures MFA authorization is implemented each time a resource is accessed, not only upon first entry to the network.
Passwordless Vault – Using a personal vault to create a passwordless user experience eliminates the ability to perform password-related attacks.
User Behavior Analytics – Ongoing detection and blocking of anomalies that could indicate cybersecurity threats.
In the case of the Uber breach, a combination of these three controls could have:
Blocked the attacker’s device due to its health status.
Prevented lateral movement in the network, even if one employee was compromised.
Identified the anomalous behavior of receiving multiple MFA requests or the compromised users’ activity.
Brought the third party employee’s security control up to the same level as the rest of the company.
Eliminated the ability to abuse passwords for lateral movement.
Identified and blocked suspicious behavior in sensitive databases and the IAM.
Added an additional layer of security to reduce the blast radius of breaching the IAM system.
In this attack, the assailant succeeded to compromise two passwords that provided access to the company’s contract search tool and ultimately gave the attackers unauthorized access to customer names, drivers’ license numbers, and state identification numbers. U-Haul’s response was to change the passwords and investigate the incident.
Identity-based access ensures each user is verified before being given access to a valuable resource. While information about the U-Haul attack remains incomplete, it appears that the compromised passwords belonged to the tool, not a specific user. This approach adheres to a legacy security model, which assumes that anyone inside the network perimeter (and has the password) can be trusted.
In the identity-based approach, users and identities are verified individually. In this case, the attacker themself might have been blocked from accessing the critical search tool system, since a network password would not have been able to provide access. Instead, their identity would have to be verified. Implementing MFA, which is even a stronger authentication method, would have also reduced the chances of the attacker being verified.
Finally, ongoing monitoring and auditing of users’ activity in sensitive tools could have alerted about anomalous behavior in the application and blocked the attacker’s activities in the U-Haul contract search tool.
Two Luxembourg-based companies were attacked with ransomware in July. The attackers, from the Alphv ransomware group, which is also known as BlackCat, took down customer portals and exfiltrated data from systems. BlackCat claims this data includes contracts, passports, bills, and emails. Fortunately, the supply of electricity and gas was not affected.
In the past year, European energy companies have been the targets of a growing number of attacks. Cyberattacks on critical infrastructure companies pose a growing risk because they often do not incorporate advanced security measures, while the impact of a breach on their systems could be devastating for millions of people.
Identity-based access extends modern security controls, often reserved for the cloud, to OT and legacy systems and applications. Solutions like MFA, continuous verification, network cloaking, and ongoing auditing help mitigate attacks on critical infrastructure and OT systems, regardless of their infrastructure type. This ensures that energy companies, just like cloud-native companies, can enjoy an enhanced security posture and gain visibility and control over their systems.
In August, a threat actor gained access to LastPass’s development environment through a compromised endpoint. The attacker impersonated the developer and was authenticated through MFA. According to LastPass, no customer data or encrypted password vaults were compromised, because the development environment is physically separated from Production. Fortunately, the development environment does not have customer data and LastPass cannot access its customers’ vaults.
MFA ensures that only authorized individuals can access organizational resources and consume sensitive information. However, the device that is used to access these resources also needs to be verified. An unauthorized device might lead to a data breach, as in this case.
An identity-based access solution authorizes devices, and not just users, before enabling access to resources and systems. By checking device criteria like disk encryption, anti-malware if the device is managed or not and other components, such a solution can alert and block unverified devices and prevent attacks. In this case, the attacker’s unverified device would not have been able to access the development environment.
In addition, identity-based access continuously authorizes users and can identify irregular and anomalous behavior. In this incident, these capabilities could have required ongoing verification to limit the attacker’s blast radius and also alerted about the unusual behavior, helping to block lateral movement. After the incident, auditing information could have helped investigate the issue.
Developers have access to the company’s most valuable asset, its source code. Therefore, protecting their connectivity is of utmost importance. Identity-based access can help secure developer access without impeding development velocity.
Author
Samuel is the Director of Product Marketing at Cyolo. Before cybersecurity, he spent 7 years working in the ER and loves to tell stories. He is the husband to one, father to four, lives in Bozeman, MT, and would rather be outside. He holds an M.A. in Strategic Leadership from Life Pacific University.