Organisations spend container loads of money on cybersecurity. Defenses are made of racks of servers, pletoria of software and room full of people staring at screens and punching keys away in dedicated rooms or even companies. Reality is that attackers constantly changes strategies, understanding defense strategies and how it can be bypassed, abused or even mitigated. Just like how a CISO manages cyber risk.
EDR/xDR as defense
Not too long ago, a major push towards xDR products was made mainstream. Regulators were quick to jump into the bandwagon, some mandating the implementation of such technologies as part of license requrements. For some, a prescriptive guideline means a checkbox to be ticked. The strategy to stay in the game - tick all checkboxes. Unticked checkboxes needs to be escalated and if nothing done then "someone's going to get hurt real bad...". Board, being averse for risk will mandate the organization to commence and complete the the procurement process so that the necessary boxes and solution gets in place. xDR was one such solution that's been put in place.
However, cybersecurity isn't a werewolf that's solved with a silver bullet.
Constantly changing cybersecurity landscape
As the good guys beef up the defense, so will the not-so-good guys (trying to be woke and not offend anyone). I still remember the time when a major vendor promoted their Endpoint solution as good as "cure for cancer" of cybersecurity. Needless to say, they moved on to promoting XDR and what other technologies up in the hype curve.
Technology/automation creates 2 distinct problem. First, a sense of complacency. I'm sure, many cybersecurity professionals would have heard of the saying "Oh, we secure. We got the latest Cockerel brand firewall...". So much so, creates the illusion that merely having a firewall one becomes secure. Then came W32.Blaster/Nimda to shatter that notion. And yet, we as an industry don't learn.
Secondly, the notion of a problem being solved. If the problem is ever static, one might say, yea, problem solved. I'd like to draw attention to the analogy of a road, especially in the hot weather/rainy seasons of Asia. After a while, pothole develops. Someone complains and the city hall diligently patches it. Rain and heavy vehicles pass by, causing the hole to reappear. City Hall patches it again. After a while, someone smart at City Hall does an analysis and finds out that they've been patching the same hole multiple times. Same problem, same solution, but happens again and again.
Honestly, I get the point why the lesson isn't learnt. A business owner, whose used to solving problems, will see cybersecurity as a problem, throw money at it and expect the problem to go away. Whether its a small/medium organization, or even multinational bank, I see the same pattern. The spending for cybersecurity hasn't stopped and at some point, tough questions are going to asked about it being a "bottomless pit" and the CISO becomes a revolving chair trying to address the question. Being in multiple boards and answering the same question repeatly has taught me that most Board members (non IT centric) will assume that problem is solved once money is spent (nevermind the complexity of actual problem solving which required people, process and technology when money only solves tech part).
We just spend X million last year and you want more this budget?
New threats and current defense
I know i digressed a little bit, but here's me pulling the article back on track. Let's look at some of the current (I won't say new because there is always something newer). Recently there were reports of attackers abusing OAuth tokens to gain access. This method completely blindsides technologies such as xDR.
What's OAuth and why do people need it?
OAuth is an authorisation mechanism which is tied together with the authentication in order for organization resources to be used seamlessly. Here's an illustration of an OAuth application at work.
Courtesy - OmniApp
Authentication - Identify who you are. Focus on identity.
Authorization - What can you do, based on your permissions.
Once the user is authenticated, he/she/they is given a token. Using that token, he/she/they can now access their organization resources without having to login multiple times.
Sounds neat, right? So why is this a problem? Well, in today's computing, with Cloud and SAAS apps, the authentication and usage domain is no longer within the physical confines of the office. My organization may use Active Directory to authenticate me, but then extends it via OAuth so that I can access my email which is hosted by Google Workspaces, and use Salesforce for my sales work. To make it seamless, OAuth token allows your identity to be interchanged with different organizations.
This token, provides me a passport that allows be to use SAAS apps which are authorised that recognises my organization. In that way, I don't have to re-initiate authentication for that service.
This sounds familiar!
Yes, yes it does. If you've been around long enough like I do, you'd notice that the concept is similar to session hijacking or cookie stealing. Session hijacking/Cookie stealing affects only Internet based services, limited to services that share the authentication/authorization bit.
In this instance, you may be using your corporate identity (which may be private) for public sites. The ability to cross recognise identity provider through a common standard enables this.
So, why ain't I protected?
Back to the story of xDR, well long story short, xDR isn't meant to protect against these types of attack (yes you will still get hacked, or potentially!).
Should I then throw away my security investments? i.e. firewall, XDR?
No, not a wise thing to do. To protect a house against thieves, you need doors, gates, good locks, windows with inside grills. And you don't leave your cash and valuables lying anywhere. You have a safe, etc. (I think you get the point). Each has its own function and purpose, and does not protect against other vulnerabilities.
Getting users to be aware is the first and foremost priority. Do not authenticate or use corporate credentials on unrecognised public infrastructure/sites. Keep private browsing private. Unfortunately the proliferation of personal device with corporate access blurs the line what can/cannot be done on a device (that's another rant for another day).
Conclusion
Threats are constantly evolving. When you think you got it all sorted out, you realise that the not-so-good guys haven't been sleeping and have been working on something not-so-good, trying to overcome the good stuff you've put in. Remember, it's a marathon, not a sprint.
Author: ORCID ID - Suresh Ramasamy: 0000-0003-4562-037X
This article is mirrored in Linkedin at https://www.linkedin.com/pulse/evolving-threats-oauth-token-abuse-ts-dr-suresh-4icec