Identity-Based Attacks Are Evolving. Duo Can Help
Over the last few years, identity-based attacks have become increasingly prevalent. This is in part due to the increasing complexity of identity and access management systems and their configurations and, in part, due to the rapidly evolving techniques employed by attackers. Identity-based incidents often begin with malicious actors gaining a first access foothold into a corporate environment.
CISA tracks evolving initial access techniques
Organizations like the Cybersecurity & Infrastructure Security Agency (CISA) have been diligently tracking the techniques employed by attackers to infiltrate systems. As cyber threats continue to adapt, it's essential for businesses to stay one step ahead.
Last year, CISA identified several key methods attackers use to gain initial access to corporate resources. These include exploiting service and dormant accounts, leveraging token authentication, enrolling new devices, and utilizing residential proxies.
Let’s take a moment to review each of the techniques:
| Technique | Activity Description |
|---|---|
Access via Service and Dormant Accounts |
Service accounts typically aren’t as proactively monitored. Attackers are now targeting service accounts through brute force and password spraying attacks. Dormant accounts, which belong to former employees but remain active, are also vulnerable, providing attackers with viable credentials with no active user to complain about misuse or strange activity. |
Token Authentication |
Many forms of authentication will issue a token as a mechanism to limit re-authentication requirements. By exploiting or stealing these tokens, attackers can bypass the need for passwords altogether, gaining streamlined access to company environments. |
Enrolling New Devices |
Through social engineering at the help desk or by leveraging techniques like "MFA bombing" to subvert MFA requirements, attackers can bypass security controls around device registration. Then, they register their own devices with a set of user credentials. This allows them to perform the authentication with a stolen password and a device they control. |
Residential Proxies and Personal VPNs |
To mask their true origin, attackers use residential proxies or personal VPNs, making their traffic appear legitimate, or at least similar to a regular user. This enables the attackers to evade traditional location or IP-based access policy. |
How Duo and Identity Intelligence can help detect and prevent these techniques
Duo Security offers a suite of features designed to combat these emerging threats effectively:
| Technique | Detection & Mitigation |
|---|---|
Access via Service and Dormant Accounts |
With Duo's Identity Intelligence component, organizations can easily monitor service accounts for unusual activity and identify dormant accounts that pose a risk. From there, teams can take proactive remediation steps to secure the service accounts or remove unused accounts, preventing unauthorized access before it happens. |
Token Authentication |
Identity Intelligence can detect compromised or suspicious sessions, providing out-of-the-box alerts for token abuse. If an attacker attempts to use a stolen token, Identity Intelligence can surface this action to defenders. Security teams can then respond swiftly through manual or automated workflows to mitigate the attempted access. |
Enrolling New Devices |
Duo helps prevent unauthorized device enrollment via a few mechanisms. To start, Duo can enforce phishing-resistant authentication during device registration workflows. For social engineering a device reset, Duo has recommendations for how to equip the help desk, including verifying user identity before enrolling a new device. Additionally, security teams can also use Duo to detect actions associated with illicit device enrollment like MFA floods, new access devices, and insecure device properties. This context can be used in an automated fashion with Duo’s Risk-Based Authentication feature or via manual or integrated response workflows. |
Residential Proxies and Personal VPNs |
Identity Intelligence flags both new IPs or locations for the organization and also unexpected personal VPN usage. By reviewing these access patterns, organizations can identify and address potentially risky behavior promptly. |
The advantage of cross-platform correlation
The real advantage of Duo and Identity Intelligence lies in their ability to correlate activities across disparate identity systems to a single user and their activity. By analyzing cross-platform data components and building a full picture of a risky activity, Duo enables defense-in-depth against identity-based techniques. For example, Duo and Identity Intelligence can see when a dormant account attempts to enroll a new device from a personal VPN.
Duo can then adjust the User Trust Level of the implicated account accordingly, giving security teams the context they need to act effectively.
If you're interested in learning more about how Duo can help you address evolving initial access techniques, check out our Securing Organizations Against Identity-Based Threats ebook. Or, reach out to your account team or get in touch with sales today.
Staying ahead of threats requires proactive measures, and Duo is here to help secure your organization's future.