Cybersecurity is a game of assumptions that often come back around to haunt us. No one has perfect information at all times and businesses are constantly trying to achieve outcomes while balancing on a house of cards made from assumptions, inferences, and imperfect data. What we assume and how those assumptions lead us to ruin has changed over the years, but one of the best examples centers on the concept of the “security perimeter” and how businesses think about the concept of trust. Unfortunately, even though technology has rapidly developed, our way of thinking about the security perimeter has not. Look no further than the concept of identity to find the best example of how our assumptions have not changed even though the rest of the world has.
What is identity?
Identity, in the technological sense, is the concept that authentication and authorization of an entity can permit that entity to access resources. If you can prove that you are who you say you are and you are permitted access to a resource, that is enough to allow you to access said resource. Identity as a method of authentication and authorization has existed since computers started talking to each other. Even within the sequestered internal networks of the late 90s, an end user usually still had to prove their identity with their username and password if they wanted to grab files from their corporate file share. The network boundary served as an effective method of preventing unauthorized access because a user would have to be within the trusted network and provide proof of their identity to authenticate and access resources. This was how the world worked for a very long time and this is how much of the world still thinks it works!
But something fundamentally changed when we tried to apply this security model to cloud resources. With the advent of cloud computing, users could access their email, Sharepoint files, and PowerPoint slides from anywhere in the world and any of their multiple devices. Availability of those resources became a core component of services like Microsoft 365 which, as the name suggests, allowed users to access their business materials anywhere, anytime, 365 days a year. The user’s cloud account became their new method of authentication and authorization. This movement should have come with a new understanding of how this change affected the concept of the security perimeter, but the change in understanding lagged behind the adoption of the technology. While the business world carried on with this exciting new technology, hackers everywhere started to realize that the world had not caught on to the security implications of this change. Hackers found, to their delight, a new attack surface where their target’s company resources were free for the taking if they could get past the front door. This attack surface, to this day, is not well understood by most businesses and has proven that our outdated ideas around where the security perimeter truly lies are now costing real people real money.
What does the attack surface look like in this model?
There is no concept of “internal, sequestered network” in the realm of identity. You can’t hide the cloud from hackers. Proof of identity, even if that proof is stolen, is all that’s required for someone who is not you to access your resources. This takes the form of credential theft, where an identity has reused passwords or has an easily guessable password and a threat actor replays those stolen credentials to access resources. It can also take the form of session theft, where an authenticated session is stolen from a legitimate user and replayed by an attacker, often via an Adversary in the Middle attack. Technological advancements in security like Multifactor Authentication have raised the technical barrier to entry, but hackers still find ways around these security measures.
Past the initial access phase, hackers are constantly iterating on tradecraft to invent methods of persistence and lateral movement in the cloud realm. Even if initial access is gained by stealing or replaying credentials, a hacker will need some method to stay in the target environment until they score a payday. Conveniently, cloud services offer application development as a core component that can be leveraged for persistence. Custom-built cloud applications can be designed specifically to maintain persistence in a target tenant. Such apps, called Stealthware apps, often fly under the radar and act as a backdoor for long term access. Other cloud applications could simply be useful to attackers. Such apps, called Traitorware applications, are legitimate apps that perform functions that give hackers an edge. These may also fly under the radar given how the applications may be published and verified within the target tenant. These are just two examples of the creativity at play when hackers discover a vector of attack that the world isn’t paying attention to.
How can businesses protect themselves?
We must advance our understanding and catch up to hackers by proclaiming that the security perimeter, as we knew it, no longer exists. When proof of identity is all we need to access our most sensitive, critical data, then the security perimeter is each and every one of us. Hackers already know this. It’s time we caught up to them.
