Today, we’re excited to release our inaugural State of Identity Security report!
The report outlines the most significant identity attacks of 2022, the weaknesses of MFA, and the IAM hygiene issues that are increasing identity attack surfaces.
We outline three of the most important takeaways in this blog.
Earlier this month, on February 9, Reddit announced they had experienced a security incident that “cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.” The attacker successfully got both the password and one-time password (OTP) from the victim.
The Reddit breach is not the first time we have seen actors targeting OTPs. In August 2022, 0ktapus attackers targeted Twilio to access OTPs delivered over SMS. The attack went on to impact 163 Twilio customers.
Furthermore, the actors behind the 0ktapus campaign are suspected to be behind a recent (unsuccessful) social engineering attack against Coinbase, which was explained in their recent blog Social Engineering - A Coinbase Case Study.
With actors increasingly targeting weak forms of MFA, security leaders are pushing toward
phishing-resistant options. Eric Richard, CISO of HubSpot, explained his greatest challenge today “The biggest challenge today is around MFA. It’s extremely difficult and challenging to get to truly unphishable 2FA. I don't want to rely on passwords that are stealable. Instead, I want to have mandatory, phish-resistant MFA, ideally tied to something you own and something you are.”
While we have found increased adoption of phishing-resistant second factors, the use of these strong factors only accounts 1.82% of all logins. Instead, our report found that enterprises are overwhelmingly reliant on weak factors. The average company has 40.26% of accounts with either no MFA or weak MFA. Given that we sampled organizations with 1,000 or more employees, that is a lot of opportunities for attackers.
Finally, the report gives insight into common MFA bypass techniques and findings around session hijacking. For example, when users have extremely long sessions without re-authenticating, it makes it easier for attackers to hijack sessions successfully. The recommended session length is one working day. The report found that, on average, companies have numerous monthly sessions in Okta that exceed seven days.
Dormant accounts represent 24.15% of the average company’s total accounts and are regularly targeted. This type of account typically has fewer controls and monitoring in place.
This is not hypothetical. In August 2022, APT29 launched brute-force password attacks on dormant accounts. According to Mandiant, APT29 conducted a password-guessing attack against a list of mailboxes and successfully guessed the password to an account that had been set up but never used. The group knew that these inactive, dormant accounts did not have the same scrutiny as others. Furthermore, they could enroll any compromised account with their own MFA.
Our analysis also found targeting of dormant accounts. Between November and December 2022, Oort detected an average of 501 attempts against inactive accounts per organization. Worse still, every day, we see several of these accounts come back alive. We call these "zombie" accounts.
This research analyzed accounts that had no activity in the last 30 days. We found that the average organization has many inactive accounts - more than 24% of its total identities. Inactive users dominate many groups. On average, companies have 196 groups with over 75% inactive users.
When you combine these dormant accounts with the weaknesses in MFA, it’s no wonder attackers are targeting them.
The report also analyzed some of the most common targets. Domain administrators are three times more likely to face account probing than regular users. This is understandable, given this would give an attacker the keys to the kingdom. We also outlined some of the suspicious behaviors to look for if someone has access to admin accounts.
In some instances, these admin accounts were lacking or excluded from MFA controls. We observed numerous administrators with no MFA, weak MFA, and sitting in MFA exclusion groups.
Another key target for attackers is executives, who often have access to some of the most sensitive applications and data. We see plenty of probing attempts against executives. The map below shows the locations of those failed logins.
Failed and successful logins by executives in H2 2022
Executives have more leeway and flexibility when it comes to security controls. For example, it's common for us to see executives bypassing MFA controls on the weekends. Organizations should enforce MFA on executives, even if some of those members do not like the friction.
The report provides recommendations and free tools organizations can use immediately. In terms of recommendations, our top five are:
Get on top of your identity mess. Build an identity inventory to get a single pane of glass into your identities.
Tidy up. Make sure accounts of users that are no longer employed with the organization are de-provisioned/deleted.
Shore up MFA. For your internal workforce make sure your key employees use strong MFA. For your external workforce, make sure they use SSO or have MFA.
Ongoing monitoring. This is not a one-time activity. Continually monitor for behavioral anomalies and threats.
Investigate user incidents. Respond to suspicious activity by understanding the who, what, where, when, how, and why of every situation.
These are just some of the findings you can read about in our report. We have additional findings on groups, permissions, unused applications, guest accounts, dormant accounts, MFA factor prevalence, and MFA bypass techniques.
No forms, no hassle, no chasing up. Just have a read, and let us know if you like it!
https://oort.io/hubfs/Reports/State-of-Identity-Security-2023.pdf
On March 9th, we will present a webinar on this topic with IDSA. Register here to save your space!