Press Release
OAKLAND, CA – June 20, 2024 – A study of the impact of identity provider compromises by security researchers at Doyensec, in collaboration with Teleport, has revealed the risks enterprises expose themselves to by increasingly relying on Single Sign-On (SSO). Although sold by Identity Providers (IdPs) for their convenience and security, the solutions can amplify the impact of breaches. The research shows these impacts can be significantly mitigated once additional layers of security are placed between the IdP and the linked applications and services.
The research arrives at a time when threat actors are accelerating attacks on identity. The recent breach of UnitedHealth Group’s Change Healthcare unit is just one of many high-profile examples in 2024, expected to cost that company up to $1.6 billion. Because of the role that IdPs play in centralizing authentication within organizations, threat actors can breach a user account and then pivot laterally to sensitive systems and data.
“No SSO provider should be assumed to be secure,” says Ev Kontsevoy, CEO at Teleport. “With SSO, if one individual’s identity is compromised, you could be handing over the master key to the castle. SSO does offer considerable convenience, but unauthorized access to one individual’s credentials exposes every platform and service for which that individual has privileges. Without additional defense in place, SSO by itself does not thwart identity-based attacks.”
Teleport worked with Doyensec to simulate IdP attack vectors ranging from full IdP compromise (affecting all IdP customers) to compromise of an IdP instance (affecting a specific company) through both privileged or unprivileged users. The latter is more common; entry patterns used by attackers include social engineering, broad-based or spear phishing campaigns, bribing employees for 2FA codes, prompt-bombing, credential stuffing, session hijacking, password spraying, and access tokens leakage.
The findings reveal:
The potential impact of IdP compromise can include the theft of application and user data, impersonation of non-privileged and privileged users, spying on users and activity, downgrading of service provider security, and creation of new users and credentials.
To resolve these risks, Doyensec and Teleport concluded that services linked to a central source of authentication should introduce key mechanisms to defend against potential IdP compromise – an approach called Infrastructure Defense-in-Depth.
“What’s clear is that vulnerabilities in SSO and IdP platforms can have catastrophic impacts,” says Luca Carettoni, CEO at Doyensec. “Applying a defense-in-depth security layer on top of service providers can significantly limit the outcomes of a successful SSO provider compromise and reduce the impact against the protected infrastructure. The configuration of the defense-in-depth layer is extremely important to a company’s overall defense posture.”
Doyensec identified a set of key features and configurations that enable defense-in-depth against IdP compromise and tested these in the Teleport environment. In their tested scenarios, the infrastructure protected by Teleport remained secure in all forms of IdP compromise.
Phishing-resistant MFA-based features (per-session MFA, MFA for Administrative Actions, Web Authentication, and Device Trust) ensured that threat attackers could not breach further into downstream infrastructure. Access Requests and Dual Authorization eliminated standing privileges, enforcing the principle of least privilege and shrinking possible attack surfaces. Additionally, features such as Mandatory MFA Enrollment enforced security controls necessary to maintain defense, eliminating weak access patterns. Doyensec recommended further hardening strategies in configuration to prevent role mapping attacks and exploitation of auto-provisioning of new users.
Defense in depth is an even more urgent concern for modern infrastructure. Jack Poller, Principal Analyst, Paradigm Technica noted, “Critically, in modern infrastructure, every access is a privileged access. Gaining access to a DevOps credential gives the attacker carte blanche access to the entire infrastructure, applications, and all the sensitive and critical corporate data.”
A full description of features, hardening strategies, and a security checklist for verifying the implementation of security controls is available in this white paper.
Jun 20, 2024
A study of the impact of identity provider compromises by security researchers at Doyensec, in collaboration with Teleport, has revealed the risks enterprises expose themselves to by increasingly relying on Single Sign-On (SSO).
Mar 20, 2024
Today at KubeCon + CloudNativeCon, Teleport announced enhanced capabilities for securing access to Kubernetes resources in compute infrastructure.
Mar 18, 2024
Teleport, the secure infrastructure access company, today announced its debut on the Citizens JMP Cyber 66 list, which recognizes the 66 hottest privately held cybersecurity companies.