The US cybersecurity agency CISA and the NSA have published new guidance on implementing identity and access management (IAM), focusing on the challenges that developers and vendors face.
Released half a year after guidance for IAM administrators and mainly intended for large organizations (though it serves smaller businesses as well), the new publication – named Identity and Access Management: Developer and Vendor Challenges (PDF) – focuses on best practices to help organizations reduce the impact of threats to IAM.
The document details techniques that threat actors commonly use, such as creating new accounts for persistence, taking over employee accounts, exploiting vulnerabilities to force authentication, creating alternative entry points, compromising passwords, exploiting default credentials, and obtaining access to systems to obtain stored credentials.
As the document points out, Iranian threat actors have been observed exploiting IAM vulnerabilities to compromise credentials, escalate privileges, and establish persistence. The obtained access could be leveraged for data exfiltration and encryption, and other malicious activities.
“Exploiting known IAM vulnerabilities could allow a bad actor the same access to resources as legitimate users by mimicking legitimate activity which complicates detection of the bad actor. This provides the bad actor more time to gain access to resources and elevate privileges to gain persistent access,” CISA and the NSA explain.
The two agencies also note that threat actors have been observed increasingly exploiting Single Sign-On (SSO) functions to gain access to protected resources throughout the victim organization.
“Defending against this broad spectrum of attacks requires a comprehensive IAM solution, with operational awareness of the environment to detect anomalies and attribute anomalous activity to adversary exploits,” the guidance reads.
To mitigate threats to IAM, organizations need to focus on identity governance, environmental hardening, identity federation and SSO, multi-factor authentication (MFA), and IAM monitoring and auditing, the two agencies say.
These mitigations allow organizations to better manage user accounts, their privileges, and access to resources, secure both software and hardware around the IAM solution, simplify identity management, improve account security by not relying solely on passwords, and counter internal threats alongside external ones.
By implementing security best practices in IAM, organizations can prevent attacks such as phishing and social engineering, the creation of new accounts for persistence, unsanctioned access to sensitive data and resources, credential stuffing, and unwanted employee access to restricted resources.
CISA and the NSA encourage all organizations to review the new guidance and implement the recommended mitigations where applicable, to assess their IAM posture and risks, harden their environments, and minimize the impact of IAM weakness exploitation.
“America’s critical infrastructure is a prime target for a broad spectrum of threat sources including advanced and ongoing attacks from nation state and terrorist organizations. These threats are real, ongoing, and evolving and the cybersecurity community is especially concerned about certain credible threats to IAM and SSO,” CISA and the NSA note.