By now, most people know that identity and access management (IAM) is a framework of policies and technologies that are designed so that the right users have the appropriate access to the technology resources that they need. IAM is all about using a set of known, good information like passwords and multi-factor authentication (MFA) codes that match what is expected for the accounts on an organization’s network. This has been a fundamental security touchstone for as long as information security has been around. It is codified in every book, standard, policy and product since time immemorial.

Unfortunately, it is not good enough anymore.

Security is not a static thing. Adversaries evolve, and hundreds of billions of more in e-commerce transactions means more opportunity for attackers to take advantage of online accounts. Threat actors are now specifically targeting IAM protections like authentication, account management and even MFA.

The uptick in these attacks is unmissable. The recent Roasting Oktapus attacks on 130 organizations are a good example of why the Federal Bureau of Investigation (FBI) and Australian authorities issued a warning on credential-stuffing incidents. 

What does this mean to security teams and what should defenders do?

The Importance of Threat Modeling IAM Systems 

First, defenders should focus on recognizing the limits of IAM solutions. They are fundamental, but they are not everything. To see the limits of the IAM systems in place, security teams should include them in their threat modeling exercises. Threat modeling is the practice of optimizing application, system or business processes’ security by identifying any objectives or vulnerabilities. 

Once defenders threat model their IAM system, it is highly likely that there are impersonation, spoofing, redirection, and other opportunities for an attacker to discover. The types of threats we see now assume there is a mostly effective IAM system in place, and the attackers try to predict what it will do and then target users and behaviors accordingly. For example, if an organization has MFA in place, an attacker can get around this by what is known as an adversary-in-the-middle (AiTM) attack. With this, hackers combine a phishing attack with a proxy server between the victim and the website. By doing so, adversaries can steal the password and session cookie/token that has the additional level of authentication they can use to exploit, like an email. The user is unaware and is able to just log into their account as normal. 

To put it bluntly, Mike Tyson said, “everyone has a plan until they get hit in the face.” IAM systems are companies' plans of how access should work, but attackers are now punching them square in the eye. The dividing line between what is good and allowable behavior versus malicious abuse will not hold by a set of access protocols alone, it needs ongoing monitoring for malice.

Ratcheting up identity and access protections are evergreen activities. But they leave an undefended flank, how is the system being attacked and what are attackers doing on the system right now with stolen, phished and impersonated credentials? This threat vector cannot be defended by identity protections alone. 

Let’s look at how we can fill in the gaps. 

Filling the Gaps 

The consequence of new IAM-focused attacks is that most companies have a missing defense-in-depth layer, specifically a monitoring system of what is happening on the IAM system and how it is being targeted and abused. Luckily, there is hope for security professionals. Decision systems provide ongoing monitoring and offer runtime decisions to look for malice.

Identity graphs are a type of decision system that goes beyond the access control matrix, pictured below. 

Image courtesy of Forter

These tools inspect user behavior for tactics like token tampering, forgery and more that can adversely impact networks with account takeovers and lateral movements. This takes IAM beyond just monitoring for policy compliance, but also for known malicious behaviors. 

Organizations need to think of access less like a static wall, and more like a dynamic flywheel. Identity and access systems excel at defining what should happen in a system. When things go to plan that is all you need. But when your identity access system is the thing being targeted, you need a system that goes beyond what should happen and to what is happening. Identity graphs fill in those gaps so that when bad things happen to good credentials, companies are prepared.