An identity attack vector can effect the person owning the identity or any part of the connected chain down to the applications, accounts, passwords and privileges they execute. If it could not
, there would be no purpose for this book! As an attack surface, we need to think beyond traditional ports, protocols, and services found in traditional IT security defense thinking. Identity attack vectors have a risk surface that is not only electronic, but also physical, and can be compromised using old-school paper communications, such as a letter from the postal service or social engineering using the plain old telephone system.
However, the point of an identity attack is fairly straightforward. A threat actor wants to find a method to compromise an identity and impersonate it for their own malicious intent. All they need to do is get access to one of your accounts to get started. If it is a privileged account, it is nearly “game over” from the start. The goal of the threat actor is to own you at the highest level possible and impersonate you as far down the account chain as possible. To be clear, they want to be an electronic impostor. The threat actor’s goal is to disrupt the one-to-one relationship of a person to their identity and then compromise the integrity of the identity-to-account relationship. So, the risk surface encompasses all the methods to disrupt these relationships. This threat model applies to both physical and electronic identities.
Once a threat actor can successfully impersonate you, they can authenticate with your accounts – assuming your authorization has not been restricted – and own your identity. The attacker then assumes the ability to perform the tasks you are privileged to perform, and using other attack vectors, potentially elevates their privileges to administrator or root. This is why maintaining a complete map of identity and account relationships, and understanding how they can be used for IoCs, is so important.
Methods
What methods does a threat actor leverage to steal your identity? In an electronic world, they go after your accounts. They steal the associated credentials via some vulnerability and exploit related assets or leverage privileged attack vectors against available accounts.
In a physical world, criminals attempt social engineering, mail fraud, stealing identification, or even tricking you into committing to verbal or written actions. While physical identity theft can result in fraudulent loans, credit cards opened under your name, or even purchases made on your behalf, physical identity theft typically translates into an electronic form at some juncture in the attack chain. Only physical impersonations of claiming to be someone, such as by wearing their uniform and name badge, stay manifest purely in the physical world. The damage a threat actor can perform can be severe if they also have stolen your electronic identity as well. Edward Snowden demonstrated the ramifications of this electronic identity attack, which he perpetrated even while he was a trusted insider. He did not need to perform any physical impersonations to steal all the information he did. He did, however, steal the credential from his colleagues.
To that end, the following are methods a threat actor will use to exploit an identity risk surface:
- Electronic
- Vulnerabilities and Exploits – Software flaws that can lead to exploitation and ownership of an account
- Misconfigurations – Poor configuration hygiene that can allow an attacker to hijack or create accounts
- Privileged Attacks – Credential and password attacks based on poor account hygiene that give a threat actor unintentional access
- Social Engineering – Broad electronic misuse to target a person to obtain sensitive information
- Physical
- Imposter – A physical representation of another person for the sake of inappropriate access
- Documentation – False physical paperwork designed to invoke a state of compromise and mislead the target to provide information or access
- Audible – Verbal command or responsive social engineering typically done over the phone or via an always-listening microphone to capture sensitive information or grant unintended privileges
- Biometric – The theft and malicious implementation of biometric data to gain access or compromise additional datasets
These are all basic classifications but nonetheless form the basis for every breach we experience today. All of these can be linked back to an identity and used as an attack vector.
Tactics
Today, the favored tactic used by threat actors for bulk compromise of accounts is the Dark Web. This is where illicitly obtained information (account names, passwords, and configuration information) is traded between criminals in the form of raw data, or even as a service to target the new exfiltration of more data. This information may have details regarding a user’s identity (like address and phone number), but luckily, today we rarely see information linking an identity to multiple accounts in order to build a complete identity profile. If this mapping is done, fields like email addresses could provide the correlation rules needed (as we have already discussed), and basic identity attributes could provide the linkage needed for a threat actor to own your identity at home, or at work.
While individual attacks may be opportunistic or targeted, large-scale attacks are typically based on some form of identified financial gain and, as such, will target accounts that have already been compromised. This could be an attempt to steal additional data or start the process of a ransomware infection. Tactics for identity theft can be performed by
- The art of hacking one person at a time by any means available to the threat actor including targeted attacks with detailed information about the user
- Bulk premeditated attacks using techniques like credential stuffing or brute force attacks to compromise vulnerable accounts
- Targeting vendors and the supply chain or contractors and seasonal workers or simply “fuzzing” the externally available APIs – basically attacking anything that is available and accessible outside of the organization and vulnerable to an attack due to insecure credential practices and dormant accounts.
All of these apply to both insider threats and external attacks. With these in mind, the most common methods threat actors use to compromise an account and escalate to an identity are the following:
- Interception – Passwords are captured as they are transmitted electronically through email, the network, and even SMS texts. This includes SMS cloning, SIM-jacking or other forms of hijacking and man-in-the-middle attacks.
- Brute Force – Automated guessing of passwords using dictionaries or other related password libraries (often called Rainbow Tables) that target password reuse.
- Searching – The manual or electronic searching of passwords stored in insecure files, scripts, or other inappropriate electronic medium. This also falls under the category of sensitive, unstructured data abuses.
- Manual Guessing – Based on social engineering and knowledge of the identity, a threat actor will try to manually guess the password for an account.
- Social Engineering – Threat actors use human trust and social interaction to trick an identity into revealing credentials or other sensitive information.
- Stealing Passwords – The theft of passwords that are insecurely stored on paper or other non-electronic media. This could be as simple as posting a secure Wi-Fi password on the whiteboard of a conference room or the now mythical post-it note under the keyboard.
- Shoulder Surfing – Physically observing someone typing in their password by looking over their shoulder. This could also be done electronically when a camera either in the user’s device or close to a desk has been compromised.
- Key Logging – Malware used to capture sensitive keystrokes, including passwords, as they are being entered and then transmitted to or retrieved by the threat actor for later reuse.
Once passwords have been stolen, they are used by the threat actor directly or placed on the Dark Web for sale to the highest bidder. In reality, the Dark Web is nothing more than a collection of criminally inclined web sites that use service models to transact the purchase of passwords, tools, and data to leverage the stolen information. Regardless, the tactics are the same once the data is exposed; leverage it to steal more account and data and escalate “ownership” to the identity level.
In addition, threat actors from nation states and organized criminal entities don’t rely entirely on the Dark Web for their mission intel. They often operate as the sources of Dark Web data and can be actively engaged in attacking organizations to obtain illegal information in the first place. These criminal entities may build a long-term persistent presence to realize their goals while building extensive profiles of identities and access in order to fuel future attacks. These organizations are typically well-funded, and their motives for identity theft go far beyond the quick monetization of the stolen information. Again, the discovery and reconciliation processes advocated by an Identity Governance program form a very effective method for determining deviations in established business rules that could be used as IoCs for these types of persistent threats.
Implications
The implications of identity theft can be profound, disheartening, and even gruesome. The elderly (often targets of consumer identity theft) can have all of their financial savings depleted. For a business, it could mean the large-scale theft of intellectual property or, more profoundly, even an event that causes major financial disruption to normal operations. These breaches have been in the news for years and are not expected to subside anytime soon. Even the deceased can have their identities or accounts compromised in ways that make it difficult for their heirs to reconcile their estates. This brings into question how every business deals with a “leaver” situation. These event are not always planned or palatable and can be as unplanned as a sudden employee death or mass catastrophic event like 9/11. Organizations find it difficult to manage these situations without a comprehensive approach to governance. If accounts and users are not managed after an unexpected event, the ramifications can be long-lasting for the health of the business and everyone concerned.
To illustrate how depraved a threat actor may act to achieve their goals, consider the following: A recent, far-reaching data breach in South Africa involved all the typical traits of a government or credit reporting service compromise. Within the data sets stolen was an interesting user attribute field not commonly seen in other breaches – “deceased status.” This personally identifiable information contained data on whether the identity associated with the account was alive or dead. While it did not reveal the date of their death, it did open a very morbid question, “Can you better attack the dead rather than the living? The simple and grave answer is “yes.”
Taking this to another morbid level of extreme, consider an individual who is recently deceased:
- Their bank accounts have not been closed or frozen nor their employer’s ability for direct deposit.
- Social media sites may allow active postings, and messages including ones used for business activities.
- They probably still receive email at work and home.
- Their cell phones and landlines may still work including voice mail.
- They may not have loved ones immediately available to manage their estates.
All of the preceding scenarios make their estate a prime target for identity theft. The cybercriminals could siphon off, or even liquidate, the deceased’s assets since, potentially, no one is monitoring their assets, services, and resources. Considering the interconnected financial world we live in, hacking the dead may seem like a morbid topic, but evidence suggest that these types of targeted attacks are increasing and most organizations appear not to be protecting an identity well in these scenarios. The implications are the same for other similar change triggers like extended illness, maternity leave, and sabbaticals. All of these long-term status changes must be a part of your governance model for controls and oversight to help prevent unmonitored identity attack vectors.
Privileges
Identity attack vectors have two real-world implications, regardless of the methods and tactics employed. These attacks could affect you regardless of whether you are a consumer or operating in a business context. In all cases, the goal of the attacker is to gain access to your privileges and entitlements. Let’s start with a worst case and assume your identity has been compromised. This means a threat actor(s) has access to your account(s). The type of account compromised, privileged, standard user, or shared/guest, tells us how much damage they can actually do to your identity without additional attack vectors. In addition, how many accounts are compromised, and their financial or legal importance also implies how much cost could be involved to undo the damage. This is true for a business or consumer account.
The privileges and entitlements your identity has are extremely relevant to a threat actor. For example, if you are a doctor, and your identity is stolen, through the exploitation of your account, the adversary may have access to patient records. The privileges in this case only matter as much as the entitlements granted to you and the resources available to that account. As the doctor, you are not the administrator for the application itself, but typically would have privileges to retrieve sensitive information for all of your patients. This makes your identity and the accounts and entitlements you have a more valuable target and therefore puts you at a high risk. In this scenario, the only higher risk would be presented by the system administrator for the application or someone with access to its supporting infrastructure. If either of their “classic” privileged identities is compromised, not only is it possible that the application is at risk but all the data and all the users of that resource will be at risk as well. Knowing who these account owners are and monitoring their access is key in mitigating identity attack vectors.
This scenario exemplifies why you must understand privileged entitlement and helps underscore that users should always be given the least amount of privileges possible. This can be accomplished using clearly defined privilege management processes and leveraging Identity Governance and PAM solutions.
Regardless of its electronic demark (including remote access), accounts should always have at least three different types of account privileges. Remember, an identity can have multiple accounts, and each one should have the lowest form of privileges. While each of these can have granularity within them, a privileged account is typically the highest level of rights, while “None” contains no rights whatsoever and is actually lower than Guest access. This is the first implication of identity attack vectors. A threat actor directly gaining privileged access to an account assigned administrative privileges and owned by an important identity is the worst-case scenario for any organization. The second implication is the converse. A threat actor directly gaining privileged access to the high-level administrative privileges for “powerful” identity can be the worst-case scenario for any organization. The latter can be managed by Endpoint Detection and Response (EDR) solutions, while the former typically cannot since it is typically modeled as authorized privileged activity. User behavioral analytics has a more difficult time interpreting malicious activity when valid credentials are being used and the account itself is already considered privileged.
In the world of Identity and Access Management (IAM), all accounts, and their associated credentials, can be placed under management regardless of the privileges. This helps mitigate the threats from both scenarios. In the world of Privileged Access Management (PAM), typically only accounts with administrative, root, or super user privileges are placed under management. The latter, as we have concluded, is what threat actors seek. However, if they can gain access to even a lower-level attack, privileged attack vectors
or asset attack vectors can be leveraged to elevate threat actor’s rights. This is how an incident can turn into a full-fledged breach. In Figure 10-1, this is illustrated as the privileged attack chain.
Figure 10-1
Privileged attack chain
With this in mind, here are the definitions for each user account type that can be under IAM management:
- Privileged User – A privileged user is typically the administrator or root for a resource.
- Super User – A super user (or superuser) has elevated privileges in various graduations above a standard user, but does not have full administrative capabilities.
- Standard User – A standard user is void of all elevated privileges except for normal runtime of a resource.
- Guest – A guest is the lowest form of access and is typically below a standard user. Interaction with a guest account only provides basic services.
- Anonymous – Control access to specific resources only using an account with a null password or keys not exposed to the end user.
- Disabled – A disabled account may have any level of privileges, but is explicitly denied access and interaction with assigned resources.
- None – No privileges at all and may not even be defined as an identity or account.