Identity: The Third Phase of Security Operations

Information security has long been divided into two primary disciplines: host-based and network-focused endeavors. While some sub-disciplines emerged over time, such as application or cloud security, often these "piggyback" on existing tools geared toward hosts or networks for their execution and investigation. 

However, in line with migration to cloud infrastructure and related trends, a new and unique field within information security has emerged: Identity.

Expanding the Framework

Historically, “identity” has fallen under network or host security. In the former, identity relates to authentication traffic and communication; in the latter, identity is reflected in the use (and abuse) of passwords and permissions. Yet the movement toward cloud infrastructure and distributed applications has smashed these siloed frameworks, breaking identity out of the classic duality of information security, and making it the new frontier in security operations.

Essentially, identity has become its own class of security—both as a subject for investigation, and as a problem area for network owners to address. This shift is driven by the fact that identity is not within the realm of the network owner anymore—where network or host logs can identify its abuse or misuse—but rather in third-party environments that may be inaccessible or require new, emerging solutions to reasonably track and monitor.

Skeptical audiences might argue that the host-network duality still holds. Yet discussions within the defender realm are immaterial, as identity’s emergence as a critical space for security has already been decided for us: through identity's use and application in increasingly ambitious operations from adversaries. 

At its simplest, identity is something to be stolen, spoofed, or manipulated, such as in business email compromise (BEC) or similar cases of financial fraud. But at its most complex, entire systems of authentication, identity management and verification have been subverted by threat actors to undermine entire systems of identity management. Such ambitious actions then enable further compromise and information collection.

Real-World Wake-Up Calls

We need only look to recent examples to illustrate the above.

In July 2023, Microsoft published limited information on a group tracked as Storm-0558. The entity, assessed as China-based, subverted controls in Microsoft’s cloud infrastructure to harvest information from multiple government agencies, including the US State and Commerce departments. Interestingly, researchers outside of Microsoft identified ways in which the identified breach could be extended much further through the compromise of a critical signing key for establishing and verifying identification within the Microsoft cloud ecosystem. While this report is currently disputed by Microsoft, its implications remain clear: threat actors have moved beyond the compromise of systems and leveraging malicious traffic to identifying mechanisms to circumvent and abuse core trust and identification technologies at the heart of modern distributed and cloud-based operations.

The Storm-0558 activity is a recent and concerning development around the subversion and compromise of identity in information operations. More “mundane” operations—such as BEC—may appear to be less technically savvy, but still accounted for over $2 billion in company losses in 2022. Core to BEC’s success is the ability to spoof or otherwise take over trusted party identities in communication streams, made all the easier as organizations move critical communication infrastructure (chat and email) to third-party providers with varying degrees of security control and monitoring. As a result, defenders may wish to dispute the importance or uniqueness of identity as a security concern. But adversaries—from financially-motivated criminal entities to state-sponsored threats—have already migrated to this ecosystem and are using it to great effect.

Adapting to the New Normal

With this in mind, security operations must adapt to the new reality of adversary activity. Notably, existing visibility and controls around the network-host duality are not only insufficient, but completely unaware of activity targeting identity in distributed software and cloud infrastructure platforms. The data resides with the provider, and organizations leveraging these providers (Microsoft, Amazon, Google, or others) are at the mercy of the provider’s monitoring and security to identify core compromises of the respective platforms. Therefore, uncovering ways to identify compromise scenarios around third-party identity and access management platforms, such as a cloud provider, is an urgent task for today’s system and business owners.

Along these lines, Tenable recently published an advisory concerning Microsoft Azure, where an attacker, through unspecified means, could access information from other tenants, including authentication secrets. While this specific concern remains under investigation, all of the relevant activity for capturing information (including critical identity information for authentication) resides on the provider’s side of the equation, meaning victim organizations will be unaware of a breach (or even risk) until after the adversary has executed operations. Furthermore, as this is a platform design issue, the items in question discovered by Tenable will not even merit a CVE as this moves beyond a software flaw and into the realm of fundamental issues with distributed authentication and identity verification.

The Call to Arms

To sum up, adversaries have recognized identity's value, and are relentlessly pursuing means to subvert, spoof, or otherwise compromise this field to achieve ends ranging from classic espionage to financial gain. To meet this threat, defenders need to move beyond the classic network-host duality to embrace identity as a new battleground. Unfortunately, the nature of this space makes defensive efforts difficult with significant friction.

In the process of moving operations, data, and other elements to third-party managed ecosystems, organizations have also outsourced their security, monitoring, and awareness to the same organizations. Identity thus resides increasingly in a realm of implicit trust, that in signing up for a given service or offering, the providers will maintain some minimally acceptable guarantee of security, privacy, and confidentiality for the items residing on their portal. Unfortunately, whether looking at incidents such as the Storm-0558 activity or more mundane (but incredibly costly) actions such as multi-factor authentication token theft en route to BEC or other fraudulent activity, providers either operate at a lag to events (exposing tenants and customers to loss or disaster) or simply manage platforms with built-in design flaws that place their users at risk.

Within this troubled and troubling ecosystem, asset owners and network operators need to regain control of identity management and security. Where information is largely offloaded to third-party platforms, organizations must look for opportunities to access and ingest whatever data is available to assess and determine the security and privacy of critical information, not just the data housed on such servers, but the accounts and related account information used to authenticate to such systems. As providers move toward expanded cloud offerings of identity management and authentication, clients must move in step to either demand greater visibility around such actions or leverage resources to monitor and review activity within the relevant tenants for signs of malicious activity. 

While the path ahead may be daunting, mastering identity security is not merely desirable but necessary for stakeholders operating in modern, distributed environments.