IBM Security Verify

 View Only

If Only Hackers Were This Easy to Spot

By Assaf Ezov posted Mon June 20, 2022 09:25 AM


A Tactical Case for Adaptive Access


We all wish cyber-attackers would attack with a figurative axe. Then, we could easily see the attack coming and prevent it. Unfortunately, this is not the reality…unless you’re employing a secret weapon: adaptive access.

As you know, the attackers are trying to hide their attacks and techniques to avoid detection—e.g., by using compromised credentials—either right up to the point they resurface to extort our organizations or, in many cases, they disappear and move to their next target.

This leads us to ask several questions…If attacks are clandestine, how do we ensure we can detect them? Do we prevent them? How do we know if our defenses today are enough? Most likely, if we are being attacked, then we know we need to step up our protection. But how do we become more proactive? One of the best ways is adaptive access.

Even MFA Can Be Vulnerable

Sure, you’ve added multi-factor authentication (MFA) to your cybersecurity arsenal. Good, but MFA is not a silver bullet. MFA does add more friction to the access process, and it can be compromised. Attackers are a clever bunch. They know how to bypass MFA. Here’s a brief inventory of their weapons:

  1. Social Engineering – You may think, “I don’t get these people that provide their passwords to a stranger on the phone.” Well, those strangers can be very convincing and skilled. They create a context of pressure and urgency, building their credibility by knowing personal information about you such as your boss’ name, your phone number, your employee id, etc. Once they’ve won you over, they alarm you with news that your employee account is under attack.
  2. Malware – is so powerful and sophisticated now that it is basically a Fraud-as-a-Service with many capabilities such SMS stealing, screen capturing, remote overlay, remote access tools or keylogging capturing capabilities that can seize the first factor (password) as well as the MFA.
  3. Device Spoofing – can be used to convince the system that the device being used is the device of the original user, thus avoiding MFA.
  4. Session Hijacking – Is hijacking the MFA, e.g., from memory, encrypted or hashed, as a pass along to the service for authentication.
  5. SIM Swap – is tricking the phone service provider to issue a new SIM card and activating it only when attempting to access the system.

Okay, so you’re convinced that you’d like to try adaptive access for a more proactive defense, but there are still concerns holding you back, namely:

  • We don’t want to replace our existing IAM solution. We’ve made too much of an investment in it.
  • It looks complicated. We don’t have the expertise to implement or maintain an adaptive access solution.
  • We have an adaptive access solution today. It’s just not good enough and we don’t know how to improve it.

As so often is the case, your vulnerability continues just like it does at so many other organizations. Attackers continue to get in. You may require too much authentication in cases where you are not sure what to do, making life just a little more difficult for a large percentage of your users. Striking a better balance between safe access and ease of experience can prove incredibly daunting.

There are many IAM solutions out there, most with some level of digital-identity risk detection including IP based rules and behavioral anomaly (time, location, velocity), yet these are now considered basic and far from enough to support a strong risk detection posture. It’s quite possible that attackers are aware of these measures and know how to circumvent them.

Organizations frequently express how unhappy they are with their current MFA solution, but the problem is not executing the MFA, it is deciding when. The challenge is determining the right level of trust or risk you have or accept before you intervene against the user. You can't fix this problem by adding more weight to the MFA process itself. You can't bulldoze your way into high-quality risk and trust determinations. 

Please, Be Reasonable

You need more than just a “quiet” and “loud” setting on the volume knob. It’s a fine-tuning practice. You need a rich set of reason codes (see Table) and appropriate responses. Fine tuning will enable safer real-time decisions: allow the user in, authorize, access with restrictions, reset password, etc. 

Table: Sample Reason Codes

a.   Suspicious access using a remote access tool

b.  Suspicious access to a user account with attributes different to those normally seen on the user's device

c.   Unusual activity using a known risky hosting service

d.  Access from a known fraudster device

e.   Access from a new device

f.    Suspicious access pattern to multiple accounts

g.   Unusual activity from a new foreign country

h.  Access using unidentified device or connection attributes

i.    Access from a suspicious device using spoofed attributes

j.    Contains similar attributes to a known fraudster's device

k.   Suspicious anomalous pattern of accesses

l.    Unusual access using suspicious device attributes

m. Suspicious behavioral anomaly

n.  Two subsequent logins from different geographical locations within a short timeframe

o.  Suspicious access as part of a remote overlay attack


This is Adaptive Access

It doesn’t have to stress your budget or resources to be achievable. IBM Security Verify Trust simply helps you leverage your existing investment in whatever IAM solution you own today while augmenting it to make the access decision more accurate, based on true risk. Yes, it uses an agent on the device. This is really the only way to collect the data needed from the device to make an accurate risk assessment. If you want the best solution, you need to invest the resources to implement.

The goal is to empower you with full control of your automated adaptive access process. With the IBM Security options, you can perform a risk assessment whenever you need, e.g., at login, or before approving any risk-prone action. Here are some examples: 

  • Login – On the login, there are “behavioral” related risk indicators you can use. For example, when the user is typing in their credentials, you can compare location and other “static” attributes. But these aren’t as strong as they could be. Device fingerprinting would be stronger, for example.
  • Device – Device identification is very powerful. The more persistent and accurate the better. Attackers know systems are trying to detect them, so they remove the mobile application and reinstall it before each attack or try to delete cookies from the web browser. We use other techniques to store the device ID and keep it persistent. This also helps with malware detection.
  • Network Connections –This can provide a reason to investigate, e.g., risky VPN or unsecured Wi-Fi connections when attackers connect from a public internet.
  • Passive Behavior – Visible authenticators are prone to be attacked and bypassed. What you cannot see is harder to bypass. Behavioral biometrics, or even device identification, is much stronger.
  • Fraud Patterns – Attacks are hidden by nature (remember the axe analogy.) Attackers are trying to mimic a legitimate user behavior, taking small steps, assuming brute-force will be easily detected. That’s why identifying patterns versus a single risk factor is important. Training machine learning models using real confirmed cases is the only option to detect known and unknown attacks.
  • Consortium data – This data can include attributes that are tagged either good or bad, including known bad devices and IPs, compromised credentials, suspicious email servers, etc.

The Bottom Line: Assume Passwords Have Been Compromised

Attackers are selling credentials they’ve purchased from thieves and disgruntled or desperate employees or that they’ve stole themselves. It’s basically an open market and those supplying the market are using simple social tools. For example, multiple machines targeting thousands of accounts can run IP and ISP rotation sessions using mobile emulators, spoofing device attributes, OS, time zone, and thousands of uninstall and reinstall applications per device. These thieves are a clever, resourceful bunch.

Passwords as a security perimeter can no longer be trusted. MFA is great, but not fool-proof. Cyber-attacks are not done with an axe. You won’t see it coming. You must sense it based on as much input as your systems can provide. To stop the attackers, you need security measures that can help detect those breaches in real time and stop the attack….

Want to learn more about IBM Security Verify Trust? Visit this page.


1 comment



Mon June 20, 2022 09:41 AM

Great information. Hard to imagine why everyone wouldn't strive for incorporating Adaptive Access wherever they could.