Recently, Okta announced a notice about a vishing (voice phishing) campaign that is specifically targeting credential capturing. By intercepting victim login credentials, the adversaries can then replay these credentials to gain access to the internal SaaS ecosystem (or network) and then spray against internal logins.
This campaign uses customizable phishing kits that mimic the victim’s enterprise’s authentication portal (e.g. Google drive, Microsoft, Okta, etc.), lending the victim to handover their credentials – as well as executing an MFA authentication action – unknowingly.
Humans are human – mistakes happen. So what is your plan of action defensively, when a seemingly authenticated ‘user’ logs in?
What Happens When the Login Is Real — but the User Isn’t
This is not a new problem, but it is gaining more attention as adversaries advance and insider threats become more commonplace. This campaign is just the latest example. If the compromised identity looks like the rightful user and has access like the rightful user, how do you determine between right and wrong?
Sure, threat hunters can look for specific ‘tells’ associated with threat groups or malicious actions to gain insight into the compromised user’s intent. A great example of this kind of ‘tell’ is “whoami”.
When a rightful user logs into their system, they don’t need to ask who they are. But when an attacker logs in as this user, they need to know the context they are running in. Some (arguably lower skill) adversaries might inquire with a command of “whoami” to identify the user they are running as on that system. From here they can discern what access a user might have on the local system, the domain, or other systems on the network. Bingo.
Why Traditional Threat Hunting Falls Short
But adversaries are becoming wiser – more advanced. These simple tells are becoming fewer and farther between. It also places a lot of burden on your security teams to proactively conceptualize and find these ‘tells.’ More and more issues are slipping through the cracks. So how else can we identify when a seemingly okay log in is actually a malicious actor?
Behavior Is Harder to Fake Than Credentials – the Solution
With enough telemetry on a system and a clear picture of a user’s ‘BAU’ – Business as Usual – action, we can use statistics to identify anomalous or outlier behavior. Some of these outlier behaviors could be benign, but others, like a massive download of files via a SaaS provider (such as a Google Workspace folder), might indicate something much more malicious.
With telemetry and a machine learning model in place, you don’t place the burden on your security defenders to magically think up and hunt for these specific scenarios. They simply float to the top of your alert pile for investigation. Awesome.
Reveal: Security After the Login
At Reveal, we have built that system. With multiple integrations in place, you can have an overlay to your enterprise (e.g. both your SaaS and EDR in one spot), which allows you to triage identity journeys for anomalies much faster than a traditional alerting tool or SIEM would allow. By utilizing statistical anomalies in our detections, we empower SOC analysts to be less like firefighters in Fahrenheit 451 – reacting to alarms after the damage is done – and more like Grammaton Clerics from Equilibrium, identifying and neutralizing threats before they escalate.
To fight advanced adversaries you need advanced tools and Reveal is helping to shift the power balance away from offense and back to defense.
Learn more about the Reveal platform here.
