Security incidents are always a cause for concern, but this is especially true in the case of Okta a few months ago, where an identity provider and possibly their own company were compromised as a result. Despite the fact that, according to a statement from Okta themselves, only a small percentage of its customers were impacted in this instance, this attack is not an isolated case. Consequently, some companies are currently asking themselves how an attack on their identity provider would affect their own company. What measures should they take? In this blog article, we will look at these questions.
Compromising an identity provider or a software supply chain can result in attackers being able to access thousands of companies, and therefore potentially millions of users. This makes the issue of security precautions and measures to be taken in the event of a successful attack more topical than ever, as attacks become more and more frequent. The tactic of a supply chain compromise in itself is nothing new (remember SolarWinds or Kaseya?), nevertheless many companies are inadequately prepared. Given the far-reaching impact of a supply chain attack that focuses on account management, this would seem almost impossible for many security teams to manage anyway. However, analysis has shown that account access plays a role in over 85 per cent of attacks. Account access is so attractive to attackers because it gives them access to almost every part of a company - without the need for contact with monitored endpoints or user data.
14 measures to be taken before, during and after an identity provider compromise
The question is, what can companies do if an identity provider or other identity-oriented software is involved in a supply chain compromise? Here are some recommendations, but they also apply to the compromise of accounts caused by other attack tactics on the supply chain. This is of course because supply chain attacks are only one of many ways in which accounts can be compromised. How attackers use compromised accounts to achieve their ends and how defenders can detect and respond to these attacks are essentially the same, regardless of the original compromise tactic.
Here are 14 things you should do before, during and after a compromise:
- Evaluate the current situation
When a security incident occurs, it is important to gather as much information as possible, but often, this is not that easy, particularly when third parties are involved. Use different sources of information for your analysis, including assessments by independent security experts.
- Determine the approximate time frame of the attack
Unfortunately, often it is only weeks or months after a cyber-attack that people become aware of it. Therefore, to find indicators of compromise (IoCs), you should define a time frame that is as realistic as possible. This will often be a longer one, during which malicious activities may have taken place.
- An inventory of all entities related to the identity provider
Most companies use a variety of services and applications, so it is often quite difficult to get an accurate picture of the inventory. But if it is not known, it cannot be adequately protected. This makes an inventory of all the entities that the identity provider serves extremely important.
- Review the recent activities in the logs and the alerts that have been triggered
Established identity providers usually have detailed logs of all critical activities within the environment. Based on the previously defined time frame, it is possible to track changes in the system configuration. Attack indicators include newly installed applications, logged-in devices, new administrative users, elevated permissions, redundant credentials, etc. All logged security warnings should also be assessed.
- Investigate any changes that could allow redundant access
The existing logging is not always activated or may be inadequate. Therefore, current security settings should be checked to detect any unusual changes.
- Undo any malicious changes
All malicious changes must be reversed. All details should be recorded to get a complete picture of the compromise. This is also useful for future forensic investigations.
- Reset user passwords
If you suspect that user accounts have been compromised, you may need to force the renewal of user credentials. This is a simple, effective step - even if it is pretty unpopular with users. It is also important for active sessions to be closed first.
- Rotate keys and certificates
It is usually a complex, time-consuming task to reset the credentials of applications and services. This step may be unavoidable, but make sure it is really necessary before you begin.
- Withdraw undue permissions for third-party providers
Identity Providers may ask clients for access permission to change tenant settings or perform system debugging. If the identity provider has been compromised, all access rights that have been granted should be immediately revoked or, if possible, just granted temporarily.
- Reinforce defensive measures
Another obvious step is to regularly check the current security settings, but at the latest, this needs to be done in the event of a security incident. Security posture management products such as Vectra Protect for Microsoft 365, which scan and identify gaps in Azure AD and Microsoft Office 365 control configurations, can help, or you can use our dedicated hunting service to find any vulnerabilities or misconfigurations in your Azure environment.
- Install monitoring solutions
Even the best security solutions cannot provide 100 per cent protection. Humans, the biggest risk factor, or supply chain attacks can defeat external defences. To ensure a rapid incident response, an effective detection & response solution is needed to monitor malicious activity and stop the progress of attackers as soon as possible.
- Review the incident response contingency plans
In an ideal world, in the event of an attack on third parties, companies already would have a contingency plan in place, especially for critical service providers such as identity providers. If not, this needs to be done immediately, for which we recommend support from external specialists who practise contingency plans in advance, also as part of Table-Top Exercises (TTX).
- Auditing by external safety experts
As soon as the panic has died down, it is advisable to have a thorough check carried out by external security experts. This can check whether the measures are taken and existing security precautions are adequate and whether there are still gaps (e.g. as part of a penetration test or an attack simulation).
- Recognise signs of a compromised account
The signs of compromised accounts and the potential impact on them are not always immediately recognisable. An account may perform a range of actions and assets may be managed differently. However, unusual activities related to accessing valuable services, functions, hosts or data are often signs of a compromised account, regardless of the differences.
Artificial intelligence for prompt detection of anomalies and compromises
It is not an easy task to define what is abnormal and what is worthwhile. Admittedly, teams can trawl the network's active directory logs and review the actions logged by a cloud service. However, given the scale and the ambiguous nature of the issues, it is both more effective and more efficient to deploy artificial intelligence (AI) solutions to target attackers and rapidly identify critical activity. This is especially true in scenarios where it is not exactly clear who has been compromised and where credentials, access tokens or private keys may need to be re-routed. This is where AI solutions like those of our partner Vectra can bring clarity.
Vectra AI for automated and behaviour-based breach detection
Vectra applies security-centric AI to monitor and respond to attackers' actions in your organisation across on-premises, IaaS, PaaS and SaaS. Alerts focus not just on anomalies but also on attacker behaviour. Techniques such as Privilege Analytics, which automatically understand the value of accounts and assets in both hybrid cloud and SaaS-only environments, can make sense of anomalies by understanding the value of assets based on their historic activity.
Detect cyber attacks that are underway with Vectra and the InfoGuard Breach Detection Audit
Would you like to know if ongoing APT, ransomware or other cyber-attacks are currently happening on your site? Our Breach Detection Audit works in real-time to detect anomalies and ongoing attacks on your corporate network. Over four weeks, our security analysts analyse all your network traffic using Vectra's leading breach detection solution, which then provides you with an up-to-date assessment of the extent of your network's infiltration:
- Analysis of the network traffic in your company for four weeks without influencing ongoing operations (passive sniffing only).
- Evaluation and assessment of the results by InfoGuard cyber security analysts.
- Detailed final report and presentation of the findings at a workshop on your premises.
Interested? You can find the contact form here (only in German).