Identity Security at Black Hat USA 2017
I have returned from a frantic, exciting, and exhausting three days in Las Vegas to attend the yearly Black Hat conference. It’s a great event with a lot of attendees, sponsors, vendors, and quality content and this year marked the 20th year for Black Hat. While the conference is not specifically about Identity & Access Management (IAM), you can’t escape the fact that identity is everywhere and that securing those identities is a central part of a proper security program. The security threats discussed at Black Hat are going to be your problems to deal with in the next six to eighteen months (if not already).The keynote this year came from Alex Stamos, Chief Security Officer at Facebook, and to thousands at the Mandalay Bay Events Center. Identity is the core product for Facebook and they understand how important safeguarding that is. With over two billion (with a b) monthly active users, that is a virtual ton of information to protect. Being able to actively secure and defend identity, including mine and most likely yours and your friends and family, is a challenging job. Defensive mechanisms must be in place for any organization to stand a chance against threats. This is why I am such a big fan of automated identity defenses that leverage machine learning and analytics.
Can you imagine trying to sift through the logs of two billion monthly sessions to find anomalous behavior? There is very little chance you could be proactive in identifying threats and maybe you discover a problem far too late to do anything about it unless you have a literal army of analysts – and even then, it’s still a long shot.
While Facebook is a huge company, that problem scales downwards to any size organization. Ask any CISO and most would say they are understaffed and underfunded. Being able to use technology to notice deviations in patterns is fast approaching a standard for an information security team. Machines can simply analyze faster (though not necessarily better) and help augment the human brains that are responsible for security of the enterprise. Hook that analytics capability up to your IAM platforms (governance, automation, privileged) and maybe some other security devices like a firewall or network access control and you have a recipe for automated identity security defense that can help you react faster in the high speed chess matches between attacker and defender.
Security and Identity Defense
Alex also talked about celebrating security defense just as much as successful penetrations which is something I agree more organizations should be doing. You are leaving wins on the table if you are not promoting and marketing the good work your IAM program is doing. To support awareness around identity defense, Facebook announced a million dollar internet defense prize fund. The fund will be used to help support development of new information security defenses and specifically noted generating practical ideas for securing account lifecycles. Get those thinking caps on!
Other interesting topics that I saw included a lot of focus on phishing expeditions (these attacks are on the rise and shouldn’t be a surprise to anyone) and using corporate infrastructure like Active Directory (AD) domain controllers to serve as bases for attacks (AD botnet anyone?). AD controllers are critical infrastructure for a company and a compromise can have serious impacts. So, how does this newly discovered exploit work? Here is a brief explanation from Paul Kalinin and Ty Miller from Australian firm Threat Intelligence who presented at Black Hat:
Standard Active Directory accounts support over 50 user attributes that can be combined to create a communication channel between any compromised domain machine located throughout your organization. The Active Directory Botnet Client injects unique data entries into their corresponding AD account attributes within the target Domain Controller, and begins polling to identify other compromised systems within the domain. At this point, any Active Directory Botnet Client within the domain can identify compromised machines and begin issuing commands to be executed on either individual systems or across all infected endpoints.
The Active Directory Botnet Clients then execute the commands and begin tunneling the command output back through their corresponding Active Directory account attribute fields, which are then collected by the Active Directory Botnet Client that issued the original command. Active Directory Botnet Cloaking features enable confidential communications between AD Botnet Clients to avoid detection, and has the ability to use custom Active Directory properties to bypass detection attempts. This attack provides a powerful communication channel for attacks that bypass networks access controls and enable a centralized Active Directory Command & Control solution.
The primary way of preventing this attack is to monitor regular changes to Active Directory standard user attributes that are not typically changed on a regular basis, and by rearchitecting security zones to use different Active Directory Forests. This is a clear violation of the way that Active Directory is typically used; however, due to the overwhelming insecure architecture implementations of Active Directory, and the difficulty of changing Active Directory architectures, this new attack technique will be effective for many years to come.
Tracking out of band account changes just became a lot more important, which is why I bolded that specific part of the explanation! This type of capability is generally associated with more mature IAM programs. If you are not doing this today, you should start thinking about how to address this now before you have a bigger problem to deal with. I think this reinforces that IAM is never truly “done” and that it is something you need to be able to support with the proper people, process, and technology for the long term.
The Usability of Security
Lastly, there was another topic that had several sessions that was encouraging from a recognition perspective: the usability of security. The fact is, people are always looking for ways around processes. It may just be that they are not user-friendly and impede the ability to do a job. For others, it may be the challenge of breaking or exploiting a process to achieve desired results (taking your stuff). While this isn’t necessarily specific to security, it can have a big impact in the way IAM information is requested, shared, and granted for any size organization. If the processes being built and run consider the human factor, it has a much greater chance at effectiveness, driving compliance, and reducing risk.
Despite the lines and packed hallways and exhibitions, it’s totally worth it to attend a conference like this. For me, it’s a good reminder of how identity routinely crosses into other areas of security. It’s also an excellent chance to get some intelligence on “what’s next” to start thinking about and incorporating into IAM strategies.