The news that hacking group Lapsus$ gained unauthorized access to a Single Sign-On (SSO) provider through a third-party support account sent chills through infosec professionals everywhere. Enterprises have adopted SSO solutions to enable a modern workforce that is increasingly reliant on secure access to cloud-hosted applications to perform critical business functions.
We call on every organization to delve in to understand the risks associated with moving critical authentication services to third party providers and ensure that sufficient controls are implemented to minimize the risk. Managed security service providers play a lead role in helping to maintain a close eye on SSO data sources.
For organizations that use an SSO provider, a tailored monitoring, detection and response strategy is required. The Sumo Logic Threat Labs and Global Operations Center (GOC) teams have been there before and understand what it is like to be caught without the right logs while struggling to interpret a new log source and spending countless hours pondering how to distill the nuanced signals of an intrusion. In this post, we’ve distilled a monitoring, detection, and response strategy that can allow you to stay ahead of changing attack surfaces as it relates to SSO sources.
First things first, If you are using a popular SSO identity provider and not sending the logs to a SIEM or log management platform, stop reading this. Go and enable logging (make sure you double check the log levels) and then forward to a SIEM or log management system immediately.
Most identity providers will retain logs for some period of time but forwarding these critical events to a secure, long-term storage solution, like Sumo Logic Cloud SIEM or other relevant platform, is highly recommended.
SSO configuration hygiene requirements:
- Enforce Multi-Factor Authentication (MFA) as part of the authentication process; FIDO hard tokens are the most secure, mobile push notifications are the next best option but are increasingly under attack. SMS codes are considered the least secure but are better than nothing at all.
- Review security features that can be enabled (some at no cost, others require a subscription) to provide additional layers of security.
- Assess built-in settings to disable support access, you should disable access, only enabling it when support is required.
- Enable logging and set to the appropriate log level.
- Deliver logs to a SIEM or log management tool. Ensure log retention meets regulator or organizational requirements.
Build a Detection Strategy
How can an organization actually detect a successful attack against its SSO infrastructure?
The first thing that should be acknowledged is this: there is no “smoking gun” search, alert or single detection that indicates an account has been compromised. Visibility into all things, including the cloud, requires an understanding of how to establish a baseline and surface anomalies is critical for defenders.
When we dive into some of the attack paths we have observed in SSO logs, we have determined that a single SSO account with a password reset is a notable event, but when considered on its own, does not necessarily suggest a compromise has occurred. However, if we observe the same SSO account with anomalous MFA push notifications, a password reset, an MFA reset and some unusual SSO application access, that is certainly more interesting.
Typical examples of activities to track include accounts granted SSO Administrator privileges, external support access to SSO environment, password or MFA reset activity from unexpected accounts. Example attack paths include unexpected SSO provider service access, anomalous password resets, credential theft, password spray attacks, deviations in failed logins, high volume password spray, MFA push notification fatigue, unusual MFA and password reset activity, unusual SSO app access, user application access deviation, unauthorized app access attempts, and the list goes on from here!
In summary, the Sumo Logic cloud security monitoring solution makes easy work of slicing and dicing your SSO log data to identify potential signs of compromised credentials. Furthermore, Sumo Logic Cloud SIEM provides out-of-the-box security rules for normalized authentication log data and additional rules specific to SSO providers. Signals generated from these rules apply risk to entities, and Cloud SIEM automatically creates Insights if risk thresholds are exceeded. This provides customers with a powerful security solution they can easily adapt and custom tailor to their specific environment.