The latest analysis report from the US Cybersecurity and Infrastructure Security Agency (CISA) has highlighted some of the common attack vectors used in cyberattacks against various organisations cloud services and techniques to defend against them.
The report states that “threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration”. It goes on to explain: “These types of attacks frequently occurred when victim organisations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services. Despite the use of security tools, affected organisations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks. The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organisations’ cloud security practices.”
CISA recommended a number of steps for organisations to strengthen their cloud security practices. This included implementing conditional access (CA) policies based upon your organisation’s needs; establish a baseline for normal network activity within your environment; routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity; enforce MFA; routinely review user-created email forwarding rules and alerts, or restrict forwarding; have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens; and follow recommend guidance on securing privileged access.
In addition to this, the agency suggests organisations should consider a policy that does not allow employees to use personal devices for work; resolve client site requests internal to your network; consider restricting users from forwarding emails to accounts outside of your domain; allow users to consent only to app integrations that have been pre-approved by an administrator; audit email rules with enforceable alerts via the Security and Compliance Centre or other tools that use the Graph API to warn administrators to abnormal activity; and implement MFA for all users, without exception.
It also recommends that conditional access should be understood and implemented with a zero-trust mindset; ensure user access logging is enabled and forward logs to a security information and event management appliance for aggregation and monitoring so as to not lose visibility on logs outside of logging periods. Organisations should also use a CA policy to block legacy authentication protocols; verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports and place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
There should also be a focus on awareness and training. Make employees aware of the threats such as phishing scams and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities. Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently. Ensure existing built-in filtering and detection products, such as those for spam, phishing, malware and safe attachments and links are enabled.
Commenting on the report, Niamh Muldoon, Global Data Protection Officer at OneLogin stated: “Security culture and maintaining security consciousness with your entire organisation and/or end-users is critical not just for identifying and responding to security threats but following security processes. Access control processes of provisioning and de-provisioning are great examples that need conscious focus and attention to ensure only those that have a business requirement for access have access and their access is approved, reviewed and monitored per the access control principles of authentication, authorisation and assurance principles.”
“This is not a new threat,” added Christian Espinosa, Managing Director at Cerberus Sentinel. “Bypassing MFA via stolen (‘pass-the-cookie’) attacks is common. Cookies establish session persistence for web applications. When you are authenticated with a web application, MFA or not, the cookie is placed on your computer. The cookie contains the session ID and access tokens to the web application. This is so you don’t have to reauthenticate incessantly to the web application. This is an inherent flaw in the HTTP protocol and how web applications work. HTTP is a stateless protocol and relies on cookies to maintain state.
“We run into this vulnerability routinely during web application penetration tests,” Espinosa continued. “The way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training. Specially, cookies should be set with a short lifespan and should be for a single session, so when the browser is closed, the cookie is voided. Users should be trained to logoff the web application and close their browser after they are done using the web application. Many users never logoff or close a browser – this increases risk. The bottom line is there is no single way to fix the pass-the-cookie problem, unless you force a user to reauthenticate more frequently for different web application functionality. This diminishes the user experience though.”
To read the full report, click here.