Preventing Attackers from Getting What They Want



Similar documents
White Paper. Defending Against Advanced Threats at the Identity Perimeter

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

User Behavior Analytics: A New Approach to Detection and Response

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Introduction to SAML

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

White Paper. Revolutionizing Remote Secure Access: Strong, Adaptive Authentication for Healthcare

SPEAR-PHISHING ATTACKS

SANS Top 20 Critical Controls for Effective Cyber Defense

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

ONLINE AND MOBILE BANKING, YOUR RISKS COVERED

Teradata and Protegrity High-Value Protection for High-Value Data

Advanced Threat Protection with Dell SecureWorks Security Services

Media Shuttle s Defense-in- Depth Security Strategy

Whitepaper on AuthShield Two Factor Authentication and Access integration with Microsoft outlook using any Mail Exchange Servers

Device Fingerprinting and Fraud Protection Whitepaper

Closing the Biggest Security Hole in Web Application Delivery

What Do You Mean My Cloud Data Isn t Secure?

Your Network Has Been Compromised. Is It Time To Reevaluate Your Traditional Cybersecurity Paradigms?

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

A brief on Two-Factor Authentication

Information Security Services

Strengthen security with intelligent identity and access management

SECUREAUTH IDP AND OFFICE 365

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

WRITTEN TESTIMONY OF

ADAPTIVE USER AUTHENTICATION

Modern two-factor authentication: Easy. Affordable. Secure.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

WHITEPAPER SECUREAUTH IDP DEVICE FINGERPRINTING LOW-FRICTION, BYOD AUTHENTICATION

Security Best Practices for Mobile Devices

The Hillstone and Trend Micro Joint Solution


The Advanced Cyber Attack Landscape

Agenda , Palo Alto Networks. Confidential and Proprietary.

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Spear Phishing Attacks Why They are Successful and How to Stop Them

Things To Do After You ve Been Hacked

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

Identity and Access Management in the Commonwealth

SIEM is only as good as the data it consumes

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cybersecurity and internal audit. August 15, 2014

Multi-factor authentication

IDENTITY SOLUTIONS: Security Beyond the Perimeter

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

WHITE PAPER Moving Beyond the FFIEC Guidelines

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Doyourwebsitebot defensesaddressthe changingthreat landscape?

Active Response: Automated Risk Reduction or Manual Action?

Securing corporate assets with two factor authentication

Content Security: Protect Your Network with Five Must-Haves

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Endpoint Threat Detection without the Pain

Gaining the upper hand in today s cyber security battle

Vidder PrecisionAccess

Data Breach Lessons Learned. June 11, 2015

Take the cost, complexity and frustration out of two-factor authentication

Unknown threats in Sweden. Study publication August 27, 2014

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Cisco Advanced Malware Protection for Endpoints

Enterprise Cybersecurity: Building an Effective Defense

A Love Affair: Cyber Security, Big-data and Risk

KEY STEPS FOLLOWING A DATA BREACH

The Global Attacker Security Intelligence Service Explained

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Intelligent Security Design, Development and Acquisition

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Getting real about cyber threats: where are you headed?

Top 5 Reasons to Choose User-Friendly Strong Authentication

CyberArk Privileged Threat Analytics. Solution Brief

ITAR Compliance Best Practices Guide

The Top 7 Ways to Protect Your Data in the New World of

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

900 Walt Whitman Road, Suite 304 Melville, NY Office:

Sophistication of attacks will keep improving, especially APT and zero-day exploits

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

TrustDefender Mobile Technical Brief

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

AB 1149 Compliance: Data Security Best Practices

WHITEPAPER. Fraud Protection for Native Mobile Applications Benefits for Business Owners and End Users

Defending Against Data Beaches: Internal Controls for Cybersecurity

GOING BEYOND BLOCKING AN ATTACK

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Websense Data Security Gateway and Citrix NetScaler SDX Platform Overview

Identity Centric Security: Control Identity Sprawl to Remove a Growing Risk

Transcription:

Preventing Attackers from Getting What They Want A Case for Context-Based Authentication Written by Keith Graham, CTO, SecureAuth November 2014 Whitepaper

Executive Overview Attacks on organizations are in the news every day. How can your organization keep from becoming tomorrow s headline? This white paper can help. We ll explore the anatomy of an attack how attackers gain a foothold and move laterally inside your organization to achieve their goal of stealing valuable information. Then we ll see why government and military organizations, including the NSA, accept that preventive measures inevitably fail, and choose to focus instead on limiting attackers ability to do damage and responding to incidents when they occur. We ll see how two-factor authentication can help and why traditional twofactor alone may be insufficient. Finally, we ll explore a powerful strategy that can supplement two-factor authentication: context-based authentication. Assert Your Identity 2

Table Of Contents Whitepaper 1 Executive Overview 2 Introduction 4 Uncovering Attacks and Responding Appropriately 4 The Benefits and Realities of Two-Factor Authentication 6 Context-based Authentication 7 Techniques for Context-based Authentication 8 Conclusion 11 Assert Your Identity 3

Introduction How Attackers Compromise Organizations Attackers commonly use a combination of social engineering and malware to penetrate an organization, often in the form of an email phishing attack. They target an organization using information harvested via social engineering, social media, and open source data, and then lure unsuspecting users into downloading malware onto their computers. Once the malware is deployed and the attackers have established an initial foothold, they often try to obtain legitimate credentials (often with a privileged level of access) or create new credentials, so that they can move laterally and perform reconnaissance within the organization. Figure 1 details the anatomy of a typical attack. Attackers often remain present in the target organization for long periods of time, often hundreds of days, moving laterally to conduct reconnaissance and gain high levels of access. At this point, it s likely that the attacker is no longer using malware; rather, a human actor is using the legitimate credentials that have been obtained or created, and blending in with the legitimate activity in the environment. Once the attackers have found what they re looking for, they will complete their mission by staging the data they re after anything from intellectual property to financial data and complete the process of stealing what they ve found (sometimes called exfiltration or simply exfil ). Maintain Presence Attacker Penetrate Establish Foothold Escalate Privileges Move Laterally Complete Mission Figure 1: Once attackers penetrate an organization and establish a foothold, they often remain present for months until they find the data they re looking for. Uncovering Attacks and Responding Appropriately How Organizations Learn of Breaches An organization that has sufficient resources, mature security practices, and appropriate security products might be able detect forensic artifacts that indicate that an attacker is inside their environment. These artifacts could include evidence that malware has been used, evidence of lateral movement, or the discovery of staged data that is ready to be moved externally or already in the process of being stolen. Assert Your Identity 4

Most organizations, however, do not even realize they ve been breached until they are informed by a third party. Sometimes this is a law enforcement agency that is investigating another organization s breach and that has found evidence linking the two organizations; other times, the news comes from an investigating third party, such as a contracted incident response company who uncovers artifacts of an attack. Incident Response and Remediation When an organization learns in any of these ways that it has been breached, the next step is to conduct incident response: Starting with forensic analysis of the endpoints and servers initially known to be compromised, the incident responders attempt to determine the reach of the attack. They need to investigate to the point where they can no longer find further evidence of lateral movement. Once that investigatory boundary has been established, the next step is remediation. Remediation typically involves: + + Shutting down all external internet access to the organization (yes, all of it) + + Implementing two-factor authentication for access to sensitive data and applications + + Re-imaging compromised endpoints and servers + + Resetting all passwords + + Removing any user accounts and access compromised or created by the attackers Legal steps depend on the type of attack. The investigating body may vary depending on the type of organization that was penetrated, the nature of the attack, and the profile of the attacker. There are rarely legal repercussions in the case of attacks conducted by nation states or cyber criminal gangs operating offshore. While some international efforts have been successful at achieving penalties, we do not really see, for example, a company in the defense industrial base issuing charges against a nation state for launching an attack and stealing their intellectual property. The SANS Institute does publish best practices for responding to a breach that can provide some guidance in terms of process. However, a proper incident response and full forensics investigation requires extensive expertise. Preventive Measures Many technologies and approaches have been developed to help secure the perimeter of the organization. Organizations can and do try to detect the presence of malware on the network (by detecting its command-and-control communication), and the presence and execution of malware on the endpoints and servers. But hackers are both clever and highly motivated by the potential rewards, so it s inevitable that they will overcome any preventative method, sooner or later. Assert Your Identity 5

Many U.S. military and government organizations have already adopted the position that preventative security will always fail, and the only way to truly be secure is to constantly look for evidence of a breach and then respond appropriately with an incident response. For example, Reuters reports that the director of the U.S. National Security Agency (NSA) Information Assurance Directorate, Debora Plunkett, told a cyber security forum, We have to build our systems on the assumption that adversaries will get in. The UK and other European intelligence agencies have a similar mindset. This advanced perspective has not yet been broadly accepted, but it should be. Being prepared to perform a thorough incident response when breached is the only surefire way of being secure. But exactly how can your organization tighten the net around attackers? The Benefits and Realities of Two-Factor Authentication Where Two-Factor Authentication Can Help As noted above, one common recommendation during an incident response is to implement two-factor authentication to protect critical data and infrastructure, as well as the actual incident response tools and infrastructure. Attackers often use legitimate credentials to log back in via VPN to an organization that they ve compromised (again, blending in with the legitimate, day-to-day network activity). By requiring something you have (such as a hardware security token or a biometric identifier like a fingerprint) as well as something you know (a password), two-factor authentication limits the usefulness of any credentials that attackers may have acquired or created, thereby restricting their ability to move laterally within the organization (see Figure 2). Maintain Presence Attacker Penetrate Establish Foothold Escalate Privileges Move Laterally Complete Mission 2-Factor Authentication Figure 2: Two-factor authentication can help during the later stages of an attack by limiting the usefulness of any acquired credentials. Limitations of Two-Factor Authentication However, two-factor authentication isn t cheap. It can be costly to implement, and it can also be costly in terms of the user experience, adding a layer of complexity that disrupts legitimate user activity, increasing frustration and hurting productivity. Assert Your Identity 6

Moreover, two-factor authentication isn t infallible, as we now know thanks to the reports on the Operation Emmental attacks on Swiss and German banks, which enabled attackers to scrape SMS one-time passwords (OTPs) off customers Android phones. Context-based Authentication Understanding Context-based Authentication What options do organizations have in trying to stop or at least slow down an attacker who is moving laterally or trying to circumvent two-factor authentication? Context-based authentication. Context-based authentication enables an organization to create rules that determine whether and how a given authentication process should proceed based on context. Context can include: + + Verifying characteristics of the user s device (the device fingerprint ) + + Checking the reputation of the IP address of the user s machine against black lists + + Comparing the user s group membership information to identities in a directory or user store + + Comparing the user s current physical location against known good or bad locations (geo-fencing) + + Analyzing the user s current physical location against the location of the previous logon (geo-velocity) + + Comparing the user s measurable behaviors against an established baseline While each of these techniques on its own could be circumvented, combining several or all of them offers a promising solution. Security is about layers, and context-based authentication does exactly that it uses layers. Using multiple contextual factors pre-authorization, it builds a risk profile that can be used to determine whether to allow the user to proceed to actual authentication. Maintain Presence Attacker Penetrate Establish Foothold Escalate Privileges Move Laterally Complete Mission Context Based Authentication Figure 3: Like two-factor authentication, context-based authentication can thwart an attacker s ability to move laterally and escalate privileges inside the organization. Assert Your Identity 7

An Alternative or a Complement to Two-Factor Authentication Context-based authentication can be implemented either as an alternative to two-factor authentication, or as a complement to it: + + Some forms of context-based authentication, such as device fingerprinting, actually can constitute two-factor authentication, although this is a debatable point. + + Context-based authentication can be used in conjunction with two-factor authentication, reducing the burden on users by requiring two-factor only when a login is deemed to involve a certain level of risk. For example, in such a step-up approach, if geo-fencing data together with behavioral analysis raises sufficient suspicion about a particular authentication request, rather than simply denying the request outright, the system can require two-factor authentication. Techniques for Context-based Authentication Organizations can tailor context-based authentication to achieve the level of security they deem appropriate by combining some or all of the techniques mentioned earlier. Let s explore each one in further detail. Device Registration and Fingerprinting Device fingerprinting is typically a two-stage process: on first-time authentication, the solution registers an endpoint, and on subsequent authentications, it validates the endpoint against the stored device fingerprint. The device fingerprint comprises a set of characteristics about that endpoint, such as: + + Web browser configuration + + Language + + Installed fonts +Browser + plug-ins + + Device IP address +Screen + resolution + + Browser cookie settings + + Time zone Assert Your Identity 8

Source IP Reputation Data Context-based authentication uses IP reputation data, or blacklists of IP addresses, to deny or step up authentication. For example, your organization can deny authentication if the IP address of a user s machine is part of the Tor anonymity network or a known botnet, or an IP/subnet associated with known bad actors. LOCATION IP Changsha, China 218.77.79.43 Unknown, Mil/Gov 103.36.12.251 Changsha, Hong Kong 124.248.211.23 Chicago, United States 198.143.173.178 Mnster, Germany 193.174.89.19 Hafei, China 183.164.233.9 Unknown, Netherlands 89.248.164.133 Unknown, Mil/Gov 162.212.181.242 Figure 4: Context-based authentication can deny access based on source IP reputation data. Identity Store Lookup Once attackers have access to your network, in addition to stealing existing credentials, they often create new ones. However, they often fail to create users correctly, with appropriate group membership and attributes. Therefore, by comparing a user s current information with the corresponding information kept in a directory or user store, you can thwart attackers attempting to use credentials they have created. Geo-location Context-based authentication can compare a user s current geographical location (a meaningful, physical location) against known good or bad locations and act accordingly. For example, users on a campus location can be approved while users attempting to authenticate from outside of the campus can be denied. Assert Your Identity 9

Geo-fencing Context-based authentication can also base decisions on a geographical area or a virtual barrier if the user s location is outside of a certain proximity, then assign additional risk or deny the authentication attempt. Figure 5: Using geo-fencing as part of context-based authentication Geo-velocity Using a user s geo-location and login history together can also help prevent malicious access. For example, if a user logged in at 2 p.m. PST in California, it is reasonable to deny that user s logon attempt at 7 p.m. EST from the East Coast. User Logs in at 2pm PST User Logs in at 7pm EST Figure 6: Using a user s geo-location and login history together (geo-velocity), context-based authentication can deny access based on an improbable travel event. Assert Your Identity 10

Behavioral Analysis Over time, a solution can gather information about the way that a given user interacts with the device, such as: + + Keystroke dynamics + + Mouse movements + + Gesture and touch + + Motion patterns Obviously the type of interaction depends on the device; however, there are approaches for analyzing these measurable behaviors that are accurate enough now to help identify individuals, so later authentication attempts that fall outside established behavior patterns can be denied or forced through a stepped-up authentication. Conclusion As even the NSA itself has acknowledged, organizations cannot rely on preventative methods to keep attackers out. But you can tighten the net around attackers. Context-based authentication is a powerful, layered approach that limits the ability of attackers to move laterally within your organization and use any credentials they compromise or create to steal valuable intellectual property, financial data, or other sensitive information. Context-based authentication can be tailored to your organization s risk tolerance, enabling you to balance security with a better user experience. You can use several or all of the techniques detailed in this paper in concert to build a risk profile that determines how to handle an authentication request: allow, deny, or step up. Users are unaware of the context-based authentication processes and are not burdened by two-factor authentication unless it is deemed necessary. Assert Your Identity 11

ABOUT KEITH GRAHAM Keith Graham is Chief Technology Officer at SecureAuth Corporation. His expertise comes from 15 years in security, product management, product development, and consulting at companies such as Mandiant, FireEye and Quest Software. As CTO, Graham leads product development and plays a major role in the creation and development of innovative features and upgrades for all of SecureAuth s enterprise security solutions. ABOUT SECUREAUTH Based in Irvine, California, SecureAuth offers identity and information security solutions that deliver innovative access control for cloud, mobile, web and VPN systems to over 5 million users worldwide. SecureAuth IdP provides multi-factor authentication and single sign-on (SSO) in one solution. Its unique architecture enables organizations to leverage legacy infrastructures while also embracing next-generation technologies, so you can preserve your existing investments while also meeting today s security challenges. For the latest insights on secure access control, follow the SecureAuth blog, follow @SecureAuth on Twitter, or visit www.secureauth.com. Assert Your Identity 12

8965 Research Drive Irvine, CA 92618 p: 1-949-777-6959 f: 1-949-743-5833 secureauth.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information