Statistics show that identity-related cyber attacks are increasing, underlining the need for enterprises to address this issue, according to Kim Cameron, architect of identity at Microsoft.
“In the past year, there has been a 300% increase in identity attacks across the 800,000 high-usage tenants of Microsoft’s Azure Active Directory service,” he told the EEMA ISSE 2018 cyber security conference in Brussels.
Much of this problem, said Cameron, is related to passwords and attacks using brute force attacks, phishing and breach replay attacks.
“Our conclusion about the brute force attacks [across the Azure Active Directory users] is that attackers are achieving a 1% success rate in getting into a system which is huge in terms of the number of attempts they are making,” he said.
With this approach, Cameron said it is easy to compromise an email account within an organisation, and even if the account does not belong to anyone who has access to corporate resources, information can be gleaned that can be used to craft successful phishing attacks.
“This enables attackers to send targeted emails with embedded links, and they generally achieve a 15% success rate, which can lead to a catastrophic breach when someone is compromised who has access to lots of information,” he said.
Breach replay software
Attackers can then use breach replay software to begin the whole process all over again to attempt to access sensitive systems with all the username and password combinations they have collected.
“This cycle is what appears to be driving the increase in identity attacks [across Azure Active Directory users], with 4.6 billion attacker-driven sign-ins detected in May 2018, 350,000 compromised accounts detected in April 2018, and 23 million high-risk enterprise sign-in attempts detected in March 2018, which is not sustainable going forward,” said Cameron.
In the short term, he said there are several simple steps that enterprises can take to reduce the volume of identity attacks, starting with implementing multifactor authentication.
“Making people use an additional token reduces compromise by 99.99%, which is a fantastic step forward and makes the likelihood of a catastrophic breach harder to achieve in spite of password reuse.”
Organisations can further reduce their attack surface by blocking legacy authentication, he said, which reduces compromise by a further 66%.
Thirdly, Cameron said organisations should automate their threat response capability. “Implementing risk policies reduces compromise by 96%,” he said. “My main message is that this is not a sustainable situation and the use of defence mechanisms like machine learning is inadequate in the face of exponentially rising attacks.”
Cameron said he believes that the web has to be “rebalanced” to deploy sophisticated technology for the user so their systems, for example, could track successful logins to help anomaly detection systems identify logins using a user’s credentials but not carried out by that user on their system.
“In that way, we would start to gain the information necessary to tune machine learning algorithms, but that is impossible given the current state of the web because the user has no technology at their disposal to protect them from all of these problems.
“I continue to believe the real answer is decentralised ID (DID), which is the notion that people will be in charge of their own identities. One can look at these IDs as being a new social network run by the users themselves rather than a giant organisation.
“And being run by the users themselves enables them to decide what kind of information they want to reveal to whatever service they are authenticating to,” he said.
Progressive web app
According to Cameron, DID can be deployed as a “progressive web app” that requires zero install so there is “no friction” to the user.
“The DID app could speak OpenID Connect [OIDC] just like any other social network, so there is very low friction for the relying party or client to accept these things,” he said. “If you look at the OIDC specification, everything is already there and approved internationally in terms of self-issued open identity provider and how you insert verified claims from governmental authorities or anybody else.”
A number of organisations in the IT industry, said Cameron, are working to advance a technical architecture in which the user is empowered with technology that can “work synergistically” with websites to deal with identity attacks in a realistic way.
“Stay tuned for an open source prototype of this, but the message is not the particular option which we are going to show in this prototype. Rather, we need to alter our thinking from just looking at how we defend ourselves to how we rebalance the web so users can have the technology that works with the organisation to defend the infrastructure.”