Preventing Attackers from Getting What They Want

Transcription

1 Preventing Attackers from Getting What They Want A Case for Context-Based Authentication Written by Keith Graham, CTO, SecureAuth November 2014 Whitepaper

2 Executive Overview Attacks on organizations are in the news every day. How can your organization keep from becoming tomorrow s headline? This white paper can help. We ll explore the anatomy of an attack how attackers gain a foothold and move laterally inside your organization to achieve their goal of stealing valuable information. Then we ll see why government and military organizations, including the NSA, accept that preventive measures inevitably fail, and choose to focus instead on limiting attackers ability to do damage and responding to incidents when they occur. We ll see how two-factor authentication can help and why traditional twofactor alone may be insufficient. Finally, we ll explore a powerful strategy that can supplement two-factor authentication: context-based authentication. Assert Your Identity 2

3 Table Of Contents Whitepaper 1 Executive Overview 2 Introduction 4 Uncovering Attacks and Responding Appropriately 4 The Benefits and Realities of Two-Factor Authentication 6 Context-based Authentication 7 Techniques for Context-based Authentication 8 Conclusion 11 Assert Your Identity 3

4 Introduction How Attackers Compromise Organizations Attackers commonly use a combination of social engineering and malware to penetrate an organization, often in the form of an phishing attack. They target an organization using information harvested via social engineering, social media, and open source data, and then lure unsuspecting users into downloading malware onto their computers. Once the malware is deployed and the attackers have established an initial foothold, they often try to obtain legitimate credentials (often with a privileged level of access) or create new credentials, so that they can move laterally and perform reconnaissance within the organization. Figure 1 details the anatomy of a typical attack. Attackers often remain present in the target organization for long periods of time, often hundreds of days, moving laterally to conduct reconnaissance and gain high levels of access. At this point, it s likely that the attacker is no longer using malware; rather, a human actor is using the legitimate credentials that have been obtained or created, and blending in with the legitimate activity in the environment. Once the attackers have found what they re looking for, they will complete their mission by staging the data they re after anything from intellectual property to financial data and complete the process of stealing what they ve found (sometimes called exfiltration or simply exfil ). Maintain Presence Attacker Penetrate Establish Foothold Escalate Privileges Move Laterally Complete Mission Figure 1: Once attackers penetrate an organization and establish a foothold, they often remain present for months until they find the data they re looking for. Uncovering Attacks and Responding Appropriately How Organizations Learn of Breaches An organization that has sufficient resources, mature security practices, and appropriate security products might be able detect forensic artifacts that indicate that an attacker is inside their environment. These artifacts could include evidence that malware has been used, evidence of lateral movement, or the discovery of staged data that is ready to be moved externally or already in the process of being stolen. Assert Your Identity 4

5 Most organizations, however, do not even realize they ve been breached until they are informed by a third party. Sometimes this is a law enforcement agency that is investigating another organization s breach and that has found evidence linking the two organizations; other times, the news comes from an investigating third party, such as a contracted incident response company who uncovers artifacts of an attack. Incident Response and Remediation When an organization learns in any of these ways that it has been breached, the next step is to conduct incident response: Starting with forensic analysis of the endpoints and servers initially known to be compromised, the incident responders attempt to determine the reach of the attack. They need to investigate to the point where they can no longer find further evidence of lateral movement. Once that investigatory boundary has been established, the next step is remediation. Remediation typically involves: + + Shutting down all external internet access to the organization (yes, all of it) + + Implementing two-factor authentication for access to sensitive data and applications + + Re-imaging compromised endpoints and servers + + Resetting all passwords + + Removing any user accounts and access compromised or created by the attackers Legal steps depend on the type of attack. The investigating body may vary depending on the type of organization that was penetrated, the nature of the attack, and the profile of the attacker. There are rarely legal repercussions in the case of attacks conducted by nation states or cyber criminal gangs operating offshore. While some international efforts have been successful at achieving penalties, we do not really see, for example, a company in the defense industrial base issuing charges against a nation state for launching an attack and stealing their intellectual property. The SANS Institute does publish best practices for responding to a breach that can provide some guidance in terms of process. However, a proper incident response and full forensics investigation requires extensive expertise. Preventive Measures Many technologies and approaches have been developed to help secure the perimeter of the organization. Organizations can and do try to detect the presence of malware on the network (by detecting its command-and-control communication), and the presence and execution of malware on the endpoints and servers. But hackers are both clever and highly motivated by the potential rewards, so it s inevitable that they will overcome any preventative method, sooner or later. Assert Your Identity 5

6 Many U.S. military and government organizations have already adopted the position that preventative security will always fail, and the only way to truly be secure is to constantly look for evidence of a breach and then respond appropriately with an incident response. For example, Reuters reports that the director of the U.S. National Security Agency (NSA) Information Assurance Directorate, Debora Plunkett, told a cyber security forum, We have to build our systems on the assumption that adversaries will get in. The UK and other European intelligence agencies have a similar mindset. This advanced perspective has not yet been broadly accepted, but it should be. Being prepared to perform a thorough incident response when breached is the only surefire way of being secure. But exactly how can your organization tighten the net around attackers? The Benefits and Realities of Two-Factor Authentication Where Two-Factor Authentication Can Help As noted above, one common recommendation during an incident response is to implement two-factor authentication to protect critical data and infrastructure, as well as the actual incident response tools and infrastructure. Attackers often use legitimate credentials to log back in via VPN to an organization that they ve compromised (again, blending in with the legitimate, day-to-day network activity). By requiring something you have (such as a hardware security token or a biometric identifier like a fingerprint) as well as something you know (a password), two-factor authentication limits the usefulness of any credentials that attackers may have acquired or created, thereby restricting their ability to move laterally within the organization (see Figure 2). Maintain Presence Attacker Penetrate Establish Foothold Escalate Privileges Move Laterally Complete Mission 2-Factor Authentication Figure 2: Two-factor authentication can help during the later stages of an attack by limiting the usefulness of any acquired credentials. Limitations of Two-Factor Authentication However, two-factor authentication isn t cheap. It can be costly to implement, and it can also be costly in terms of the user experience, adding a layer of complexity that disrupts legitimate user activity, increasing frustration and hurting productivity. Assert Your Identity 6

7 Moreover, two-factor authentication isn t infallible, as we now know thanks to the reports on the Operation Emmental attacks on Swiss and German banks, which enabled attackers to scrape SMS one-time passwords (OTPs) off customers Android phones. Context-based Authentication Understanding Context-based Authentication What options do organizations have in trying to stop or at least slow down an attacker who is moving laterally or trying to circumvent two-factor authentication? Context-based authentication. Context-based authentication enables an organization to create rules that determine whether and how a given authentication process should proceed based on context. Context can include: + + Verifying characteristics of the user s device (the device fingerprint ) + + Checking the reputation of the IP address of the user s machine against black lists + + Comparing the user s group membership information to identities in a directory or user store + + Comparing the user s current physical location against known good or bad locations (geo-fencing) + + Analyzing the user s current physical location against the location of the previous logon (geo-velocity) + + Comparing the user s measurable behaviors against an established baseline While each of these techniques on its own could be circumvented, combining several or all of them offers a promising solution. Security is about layers, and context-based authentication does exactly that it uses layers. Using multiple contextual factors pre-authorization, it builds a risk profile that can be used to determine whether to allow the user to proceed to actual authentication. Maintain Presence Attacker Penetrate Establish Foothold Escalate Privileges Move Laterally Complete Mission Context Based Authentication Figure 3: Like two-factor authentication, context-based authentication can thwart an attacker s ability to move laterally and escalate privileges inside the organization. Assert Your Identity 7

8 An Alternative or a Complement to Two-Factor Authentication Context-based authentication can be implemented either as an alternative to two-factor authentication, or as a complement to it: + + Some forms of context-based authentication, such as device fingerprinting, actually can constitute two-factor authentication, although this is a debatable point. + + Context-based authentication can be used in conjunction with two-factor authentication, reducing the burden on users by requiring two-factor only when a login is deemed to involve a certain level of risk. For example, in such a step-up approach, if geo-fencing data together with behavioral analysis raises sufficient suspicion about a particular authentication request, rather than simply denying the request outright, the system can require two-factor authentication. Techniques for Context-based Authentication Organizations can tailor context-based authentication to achieve the level of security they deem appropriate by combining some or all of the techniques mentioned earlier. Let s explore each one in further detail. Device Registration and Fingerprinting Device fingerprinting is typically a two-stage process: on first-time authentication, the solution registers an endpoint, and on subsequent authentications, it validates the endpoint against the stored device fingerprint. The device fingerprint comprises a set of characteristics about that endpoint, such as: + + Web browser configuration + + Language + + Installed fonts +Browser + plug-ins + + Device IP address +Screen + resolution + + Browser cookie settings + + Time zone Assert Your Identity 8

9 Source IP Reputation Data Context-based authentication uses IP reputation data, or blacklists of IP addresses, to deny or step up authentication. For example, your organization can deny authentication if the IP address of a user s machine is part of the Tor anonymity network or a known botnet, or an IP/subnet associated with known bad actors. LOCATION IP Changsha, China Unknown, Mil/Gov Changsha, Hong Kong Chicago, United States Mnster, Germany Hafei, China Unknown, Netherlands Unknown, Mil/Gov Figure 4: Context-based authentication can deny access based on source IP reputation data. Identity Store Lookup Once attackers have access to your network, in addition to stealing existing credentials, they often create new ones. However, they often fail to create users correctly, with appropriate group membership and attributes. Therefore, by comparing a user s current information with the corresponding information kept in a directory or user store, you can thwart attackers attempting to use credentials they have created. Geo-location Context-based authentication can compare a user s current geographical location (a meaningful, physical location) against known good or bad locations and act accordingly. For example, users on a campus location can be approved while users attempting to authenticate from outside of the campus can be denied. Assert Your Identity 9

10 Geo-fencing Context-based authentication can also base decisions on a geographical area or a virtual barrier if the user s location is outside of a certain proximity, then assign additional risk or deny the authentication attempt. Figure 5: Using geo-fencing as part of context-based authentication Geo-velocity Using a user s geo-location and login history together can also help prevent malicious access. For example, if a user logged in at 2 p.m. PST in California, it is reasonable to deny that user s logon attempt at 7 p.m. EST from the East Coast. User Logs in at 2pm PST User Logs in at 7pm EST Figure 6: Using a user s geo-location and login history together (geo-velocity), context-based authentication can deny access based on an improbable travel event. Assert Your Identity 10

11 Behavioral Analysis Over time, a solution can gather information about the way that a given user interacts with the device, such as: + + Keystroke dynamics + + Mouse movements + + Gesture and touch + + Motion patterns Obviously the type of interaction depends on the device; however, there are approaches for analyzing these measurable behaviors that are accurate enough now to help identify individuals, so later authentication attempts that fall outside established behavior patterns can be denied or forced through a stepped-up authentication. Conclusion As even the NSA itself has acknowledged, organizations cannot rely on preventative methods to keep attackers out. But you can tighten the net around attackers. Context-based authentication is a powerful, layered approach that limits the ability of attackers to move laterally within your organization and use any credentials they compromise or create to steal valuable intellectual property, financial data, or other sensitive information. Context-based authentication can be tailored to your organization s risk tolerance, enabling you to balance security with a better user experience. You can use several or all of the techniques detailed in this paper in concert to build a risk profile that determines how to handle an authentication request: allow, deny, or step up. Users are unaware of the context-based authentication processes and are not burdened by two-factor authentication unless it is deemed necessary. Assert Your Identity 11

12 ABOUT KEITH GRAHAM Keith Graham is Chief Technology Officer at SecureAuth Corporation. His expertise comes from 15 years in security, product management, product development, and consulting at companies such as Mandiant, FireEye and Quest Software. As CTO, Graham leads product development and plays a major role in the creation and development of innovative features and upgrades for all of SecureAuth s enterprise security solutions. ABOUT SECUREAUTH Based in Irvine, California, SecureAuth offers identity and information security solutions that deliver innovative access control for cloud, mobile, web and VPN systems to over 5 million users worldwide. SecureAuth IdP provides multi-factor authentication and single sign-on (SSO) in one solution. Its unique architecture enables organizations to leverage legacy infrastructures while also embracing next-generation technologies, so you can preserve your existing investments while also meeting today s security challenges. For the latest insights on secure access control, follow the SecureAuth blog, on Twitter, or visit Assert Your Identity 12

13 8965 Research Drive Irvine, CA p: f: secureauth.com