Separate Identity from Email

Setting the Stage

2021 has proven to be a rough year for nefarious cybercriminal activity. While this is not alarming to those in the cybersecurity business, bad stuff is happening at a more rapid pace and people without prior knowledge of security are starting to pay attention. This is not the same stuff you would see while watching Ocean’s Eleven, this is a combination of nation state and every day hackers conducting straightforward digital criminal activity for monetary gain – it’s a business to them, a good business. 

If you’re successful in business and you like what you do, then why quit? Most professionals don’t, and neither do hackers. Instead, they choose to take that next step in their career and become cybercriminals. This means if a cyber incident happens once, due to a bad actor, it’s likely to happen again, and again, and again – at least until it’s finally realized that it’s time to take action. Cybercriminals like to jump on the bandwagon too, especially when there is money to be made. 

While there are many types of cybercriminals, they can generally be categorized into three buckets: 

  • Nation State Hackers. These are criminals employed by foreign nations, usually for the sole purpose of breaching a foreign adversary for strategic gain.

  • Sophisticated Hacker Groups. These groups function almost like a company. They operate for the sole purpose of working together to discover and exploit equally as sophisticated digital infrastructures for substantial profit – you’ve probably seen many of these in the news. They are normally the ones demanding some sort of ransom in exchange for the victims’ data to be returned.

  • Solo Hackers. The solo hacker can easily go online and buy hacking tools, user information, and a seemingly infinite assortment of data in order to try and find an easy target. We like to think of these as the modern-day versions of those thieves who are popping door handles in parking lots looking to see who left their car doors unlocked for a quick grab and go. However, solo hackers can also become quite sophisticated and should never be underestimated. There are some crazy breaches conducted by only one person.

Any of the criminals above could be using a multitude of methods in an attempt to breach their target. The more sophisticated, the harder it is to trace or locate, and the easier it is to trick the user or machine they’re targeting. It’s a never-ending game of cat and mouse, with cybercriminals always seeming to be one step ahead.

The Most Common and Destructive Form of Attack

If you add up the constant live stream of hacks that pummel the digital world, the ones we are seeing in the media day in and day out, the general theme is that the most common and destructive form of cyber-attack simply comes down to breaching the login. In other words, a cybercriminal has deliberately and fraudulently, through various methodologies, mimicked a user or machine to validate their identity, ultimately breaking into a place they don’t belong. An important thing to note here is the word identity.

Once these hackers have made it inside, they continue on to access other areas of your infrastructure, primarily because the infrastructure believes they are the correct identity. Another important thing to note here is the word access. This means they could steal data, lock down an infrastructure and hold it for ransom, shut down your infrastructure altogether – with no options to return it to its functioning state, or a number of other detrimental combinations. This is when headlines are created - but what doesn’t make headlines is the thousands of times this happens to small and medium businesses, which in aggregate, far exceed the major news articles. That is why we call login breaches the most destructive. The overall stakes are higher for a smaller organization and there are real livelihoods on the line. 

When forensic auditors postmortem these events, many post-attack forensic analyses conclude that a credentials breach did in fact occur and that multi-factor authentication (MFA), or some kind of Privileged Access (PAM) should have been deployed alongside other basic mitigation tools to help prevent a cybercriminal from ever entering in the first place. And even if they did enter, they would have only accessed the least privileged as a way to prevent the type of destruction methods that were mentioned above. This is what the cybersecurity industry calls “Zero-Trust.” Zero-Trust basically means that you must assume that it’s inevitable your infrastructure and your systems will get hacked, and therefore put security measures in place that trusts no one and provides absolute least privilege. This methodology forces validation and gives the validated identity the fewest options possible once inside.

As you might imagine, here at Evo we strongly agree with implementing Zero-Trust practices within your business and have built our entire company on this notion. In fact, Identity & Access Management is the very core of Zero-Trust because successfully deploying this philosophical approach requires that everything is identity driven. This means the digital footprint required to run your or your customers’ organization should 1) trust nothing 2) verify and validate everything, and 3) rely on identity as the connective tissue to unify everything in order to accomplish 1 and 2. Devices come and go, machines come and go, end users come and go, but at the end of the day, the identity layer remains and subsequently grants least privileged access to the same. Collectively, we call this Identity and Access Management, or “IAM.”

The Danger of Having Your Email and Identity Mixed Together

Since IAM is the very core of truth for an organization that takes Zero-Trust seriously, it’s a good idea to ask yourself “where does my identity live?”, “who is monitoring it and managing it?”,  “should it co-exist next to other parts of my infrastructure or should it exist as an independent silo – especially given how important it is?” These are very important things to ask yourself, and general awareness questions that need to be considered. Additionally, you should be asking yourself if your infrastructure makes it easier, or harder, for cybercriminals to execute one of their attack methods, also known as “attack vectors.” For example, how do these hackers actually breach a login? In order for this to happen, they have to somehow get the credentials first, right? Yes, and there are a couple main ways cybercriminals try to gain access to these credentials – below are a few examples, but this is certainly not a complete list.

  • Brute Force Attacks. This method is when a hacker deploys bots or compute resources to continuously attempt to crack passwords based on a database of pre-existing passwords they can purchase on the deep or dark web for cheap. With only a few GPUs, cybercriminals can attempt to crack hundreds of millions of combinations in seconds. Many attempts have shown that any complex or “strong” password under 10 characters can be completely hacked within minutes or seconds. Scary, but real. So if a user has a weak password with no MFA, it’s basically a matter of time – for real.

  • Social Engineering. This method is when a hacker tries to fraudulently portrays themselves as legitimate form of communication, message, or other trusted source to trick the end user into giving away passwords. In this case, they either already have the end user’s email address in possession or send a series of emails to guess. Their hope is the end user will fall for the trick, given them their passwords, then they log right in. This is the #1 way cybercriminals breach a login today.

A Recent Social Engineering Disaster

A few weeks ago, it was reported that cybercriminals were able to bypass Microsoft’s MFA by using advanced social engineering techniques in order to gain access to (essentially, phish) user credentials. They were subsequently able to use those same credentials to spoof the email exchange server to reroute an OAuth flow (bypassing MFA) to gain direct login access to internal employee emails. This was followed up by some more social engineering techniques, which eventually led to an even deeper account takeover. This specific attack was also a bit more sophisticated in nature because it wasn’t a straightforward, brute force, or commonplace social engineering attack. These cybercriminals were going after the source of truth for all credentials – the server itself - which is actually pretty smart. Unfortunately, Microsoft was supposed to deprecate the faulty OAuth logic in 2020, which could have helped prevent this from happening altogether, but it seems other priorities had emerged.

What We Can Learn

The first key takeaway from dissecting these types of attack activities is that cybercriminals are really good at what they do (queue in the business comment from above), and have a very good understanding of how to explore and discover exploitable attack vectors. The second take away is that Microsoft did not deliberately neglect the OAuth login thinking it would somehow result in harm to their customers. They really do have a top-notch and vigilant security team, one that I’m sure was stretched to the max given this incident occurred during a very trying time globally. It is, however, a wake up call that identity and access management is a hyper-critical and core component to a comprehensive zero-trust defense strategy that should definitelybe separated from the same company that manages your email.

The Business Case for Separating IAM from Email

While it certainly may seem convenient to have both your Identity Access management and Email in the same place, given the fact that social engineering is the #1 way cyber criminals are able to gain access to your credentials and breach your organization, and email is the best way to execute a social engineering attack, why risk it? Why would you make it that much easier for hackers to gain access to your systems by increasing the number of attack vectors and widening your organization’s attack surface? These practices are especially logical when there are less expensive, easier to use, purpose-built options available that can perform at scale, streamline your operations, offer better functionality, and that are completely separate from what your email provider is offering.

For those experienced with IAM, you might be thinking, “don’t I need to sync my Azure Active Directory or an on-premise active directory as the source of truth?” The answer is, yes and no. If you want to sync Active Directory you are definitely welcome to do so, but you do have the option of also relocating the source of truth and just syncing your passwords back to Active Directory for easy management, therefore dislocating these security measures altogether.

The final thought here is that convenience and security really can and do often clash, but from an IAM standpoint they no longer have to. Understanding how identity and access play a significant role in your MSP’s security posture should be a critical and baseline consideration for best practice - similar to the necessities of firewalls and anti-virus software. If you’re an MSP, it's time to get smart about how your Managed Services are architected, especially on behalf of your small and mid-market business customers. If you’re ready to find out how Evo can fill this void for your MSP and help protect both you and your client’s identity, please give us a shot and book a demo here.