5 Identity Attacks that Exploit Your Broken Authentication

Abstract

Traditional authentication methods that rely on usernames and password integrity are widely considered to be broken.  As organisations begin to move more sensitive data to cloud apps to take advantage of the productivity gains, the traditional perimeter expands to wherever the user is logging in from. 

In other words, the identity becomes the perimeter.  Threat agents have recognised this as a security gap and are exploiting your employees' tendency to reuse passwords across personal and professional accounts, among other weaknesses. Let’s discuss the types of identity attacks that are most likely to impact your organisation. 

 

opening statistics 5 identity attacks okta 1

Traditional authentication methods that rely on usernames and password integrity are widely considered to be broken. In fact, “Broken Authentication” sits at #2 in the OWASP Top 10 for application security risks. As organisations begin to move more sensitive data to cloud apps to take advantage of the productivity gains, the traditional perimeter expands to wherever the user is logging in from. In other words, the identity becomes the perimeter. Threat agents have recognised this as a security gap and are exploiting the natural proclivity for your employees to trust an inbound email from a familiar source, or their tendency to reuse passwords across personal and professional accounts. Let’s discuss the identity attacks that are most likely to impact your organisation. 

 

Attack #1: Broad-based phishing campaigns

 

Broad based phishing campaigns acquire emails creates a phishing attempt to steal credentials.

Why are phishing campaigns such a popular method of attack?

Simply put, the numbers are in the attacker’s favour. A broad-based phishing campaign recognises that threat agents have to gain access to only a few accounts or one admin account to compromise the organisation. Yet with just a light touch of social engineering and a list of email addresses, phishing attacks can successfully compromise 1 out of 20 employees from even a well-trained organisation. 

Credential theft from phishing is often the first stage of the cyber kill chain. According to the Verizon 2017 Data Breach Investigations Report, 81% of breaches used stolen and/or weak credentials.

Anatomy of the attack:

  1. Attacker acquires a list of emails or phone numbers and designs a generic cal to action that's relevant for that list (such as a fake Google login page).
  2. The phishing message is broadly distributed, and the attacker waits to see which credentials are collected.
  3. The attacker user stolen credentials to access the data they are after or adopts that identity for a more targeted attack on a high-value employee.

 

Attack #2: Spear phishing campaigns

 

After using a targeted message, the victim is compelled to enter their credentials and be phished accordingly.

Spear phishing is a targeted form of phishing that often involves more research designing the target list and phishing message. As opposed to broad-based campaigns, spear phishing typically focuses on a small number of employees to evade automated filters. The level of social engineering is also more sophisticated, with messages being more personal and the malicious call-to-action playing on emotions such as curiosity, fear, or rewards. 

Anatomy of the attack:

  1. Attacker picks targets carefully, doing extensive research across available resources such as social media or web presence
  2. Attacker crafts a phishing message designed to appear legitimate, such as pretending to be a colleague and referencing a topical situation, such as a recent company party that the attacker learned of online.
  3. The victim is compelled to enter credentials by appealing to his or her emotions, such as a curiosity to see photos from the party behind a fake login page.
  4. The attacker uses the credentials from the highvalue target to access sensitive data or execute the next stage of their attack.

 

Attack #3: Credential stuffing

 

After acquiring the credentials from a website breach, the attacker can successfully login to their victim's portal.

Credential stuffing is a form of brute force attack that takes advantage of our struggle to select unique passwords across our various accounts. This is hardly surprising when you consider that the average American internet user has 150 online accounts requiring a password. Yet many of us have had account credentials compromised as part of a data breach.

Attackers leveraging credential stuffing will use these compromised credentials on several other websites to test if the login details are re-used. And they often are: 73% of passwords are duplicates, according to the TeleSign 2016 Consumer Account Security Report. 

These types of attacks can be done at scale by bots, leading to a higher likelihood of these attacks affecting your organisation. According to a recent report from Akamai, “more than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks”. 

Anatomy of the attack: 

  1. Attacker acquires credentials from a website breach or password dump site.
  2. Automated tools are used to test credentials across a variety of different sites.
  3. When a successful login occurs, attacker harvests the sensitive data or executes the next stage of their breach.

 

Attack #4: Password spraying

 

Common passwords are mass utilized to harvest sensitive data

Password spraying is another form of brute force attack whereby an attacker takes advantage of our tendency to rely on common passwords such as “password1” (which according to Pwned Passwords has appeared in a data breach over 2.3 milli