How to Keep an Identity Attack from Compromising your Infrastructure

How to Keep an Identity Attack from Compromising your Infrastructure

Identity Platforms (IdP) provide organizations with incredible convenience with Single Sign-On (SSO). However, if IdPs are compromised, the ‘keys to the castle’ can be left vulnerable, making the rest of the organization’s infrastructure vulnerable as well.

Attackers are not hacking in, they’re logging in. To mitigate the risks that come with passwords, organizations need to adopt a passwordless authentication method paired with an Infrastructure Defense-in-Depth (IDiD) approach to security. With these additional security measures in place, an IdP breach can be prevented from causing further compromise in your downstream systems and data.

In this webinar, learn how you can implement IDiD without negatively impacting your organization's productivity.

We will cover these topics:

• How IdP attacks work and why organizations need to be protected from them
• 5 best practices for hardening your infrastructure
• How to incorporate on-demand, least privileged access in your infrastructure using cryptographic identity and Zero Trust

This webinar is designed for security engineers, security architects and other IT professionals who are responsible for ensuring the security of their organization’s infrastructure.

Key topics on How to Keep an Identity Attack from Compromising Your Infrastructure

• Identity has become the primary attack vector, with 75% of cyber-attacks leveraging compromised or stolen credentials.
• Identity provider (IDP) platforms can lead to vulnerabilities if breached, ranging from non-privileged account compromise to full IDP compromise.
• The five best practices for hardening infrastructure access include:
• Implementing least privilege (especially for admin roles)
• Requiring MFA for administrative actions
• Using per-session, phishing-resistant MFA for all infrastructure resources
• Implementing Access Requests with least privilege
• Utilizing Device Trust to recognize and authenticate unfamiliar devices
• The webinar provided an overview of what Teleport Access Platform offers, including:
• On-demand, least privileged access without storing secrets
• Cryptographic identity and zero trust security
• Protection for users, machines, and workloads
• Identity governance and policy enforcement
• The webinar also covered Teleport platform benefits such as:
• Improved workforce productivity
• Simplified access management across all infrastructure
• Elimination of credential-based attack surfaces
• Reduced attack vectors through elimination of standing privileges
• Enhanced compliance with various regulations
• Teleport bridges the gap between different infrastructure types (cloud-native, Windows, Linux, SSH) and provides a single pane of glass for management.
• The Teleport platform also helps reduce friction between engineering and security teams by balancing security needs with productivity requirements.

Expanding your knowledge on How to Keep an Identity Attack from Compromising Your Infrastructure

• Teleport 16
• Teleport Access
• Teleport Identity
• Teleport Policy
• Teleport Device Trust
• Teleport Machine ID
• Teleport Passwordless
• Teleport Server Access
• Teleport Application Access
• Teleport Kubernetes Access Guide
• Teleport Database Access
• SAML Identity Provider Access
• Teleport Workload Identity

Transcript - How to Keep an Identity Attack from Compromising Your Infrastructure

Introduction

Eddie: Welcome to today's webinar — people are still logging in. So we're going to wait a minute. And then I will get started.

[silence]

Eddie: And we still have quite a few people logging in. So I'm going to wait a few more seconds. Okay. I think we can get started now. Hey, welcome to the webinar. My name is Eddie Glenn. I'm the Director of Product Marketing at Teleport. I'm very excited to be with you here today. This is a topic I'm very passionate about. Just a little bit about me. I started off my career writing safety-critical software for avionics. And from there, I just kind of stuck with security and software development and safety throughout most of my career. And I really enjoy the topic. The other thing that you'll see in this presentation is another passion of mine — some science fiction. So I always, whenever I get a chance, try to tie the two together. Just a quick reminder, this webinar is being recorded. And we will send out the recording to you probably tomorrow, maybe on Monday. And if you have any questions, be sure and go to the Q&A window and post your question there. And I'll get to the questions at the end if there's enough time. And if we don't get to your questions, then we will definitely follow up with you one-on-one.

Eddie: So today's topic is how to keep an identity attack from compromising your infrastructure. And before I really jump into the bulk of the presentation, I thought I'd tell a couple of stories. And the first one I want to talk to you about is this small little town in Colorado called Patience. I'm not sure if you've heard of Patience, Colorado. But it's kind of famous. And there's a guy that lives there. His name is Dr. Harry Vanderspeigle. And he's the town doctor. And he's beloved and trusted by all the fine people of Patience. He's an advisor to the mayor. He has keys to the city. Everyone trusts him literally with their lives because he's the only doctor in town. And he's a very friendly-looking guy. A little quirky maybe is how best to describe him. But there is a really dark secret about Dr. Vanderspeigle. And I was going to mention, he does have credentials. He has an ID. He has a stethoscope that he's used for like 30 years when he's been in practice. So when people see him, they really believe this is Dr. Vanderspeigle.

Eddie: But this is his secret. He's really an alien in disguise. No one knows it because he has fooled everyone in the town. He has the same fingerprints, same ID, et cetera. And this is where the quirkiness comes into play. He has some mannerisms that might be a little off. But the fine people of Patience believe that it's him. And there's only one little boy. And I don't know what his superpower is. But somehow, he can see through the human flesh disguise and realizes that it's an alien underneath. But obviously no one in the town knows him. And I think this is a really great tie-in from a popular science fiction show on the sci-fi network into the topic that we're talking about, about cybersecurity attacks that utilize identity. So if you've never watched the show, it's really good. This actor is a great actor. He's very funny and very convincing and plays a character who's really an alien. Then there's another story I wanted to tell you about based on another city halfway around the world. And that's Oxford, England. And about two years ago — Oxford is famous for many things. But a hacker from the Lapsus$ group is — they believe is based out of Oxford, and this group was able to breach Okta. And as you all probably know, Okta is an identity provider, a very major one. And this group was actually able to breach them and access internal documents with Okta, so another example of issues around identity and breaches around identity. And we're going to be talking about both of these incidents kind of throughout the rest of the presentation.

Challenges securing infrastructure access

Eddie: So now that I've kind of got the fun stuff out of the way, let's get into the meat of what I want to talk about today. First one is — I want to talk about the challenges that all of us have with securing infrastructure access. Obviously, identity attacks is one way that this gets challenged. But there are others. But today, I'm going to focus on identity — talk about how identity provider platforms can lead to vulnerabilities because we trust them. We trust that once they've confirmed who the person is, that we can allow them to access any of our infrastructure systems effortlessly, basically. And that's one of the great benefits of using an identity provider — is that it does provide that level of convenience. Then I want to talk about five best practices on how all of you can harden your infrastructure. We call it defense in depth, infrastructure defense in depth. And after that, I want to spend just a little bit of time talking about how Teleport can help you provide infrastructure defense in depth. I don't want to do this too much as a commercial. So I'm going to leave that part pretty small in the presentation. But really, I want to leave you with some education, hopefully, and something that you can take away and think about how you can improve your infrastructure access in your organization. And then we'll kind of close things out. And then we'll have a few minutes for Q&A. I respect everyone's time. So I certainly do not plan to talk for an hour at all because in my mind, it's just too long for a webinar to last. So I'll keep this short and sweet.

Eddie: So first, let's dive into what are some of the challenges around securing infrastructure access. And there are quite a few. First one, and this one is, I think, a really serious one, it's that access solutions are siloed. And this is what I mean by that. If you take a typical enterprise, you're going to have different infrastructure owned by different parts of the organization. It's going to be based on different technologies. You're going to have traditional databases running on servers on-prem. You're going to have cloud-based systems. You're going to have engineers using DevOps methodologies. These are all isolated from each other. And from someone who's responsible for protecting the security of that infrastructure, managing the access becomes extremely difficult. And the other thing that happens besides the fact that they're siloed is that many of these access controls are based on secrets. And secrets are prone to human mistakes. Employees use weak passwords. Or they forget to change their password. Or they write the password down somewhere that's insecure. Another one that's especially dear to my heart, and that is they get in the way. Being a software developer, I hate getting slowed down from doing things that I need to get done because of some security mechanisms in place. Most of them are not cloud native. And that's where most of our developers are working today, are in cloud native technologies. They don't fit DevOps workflows. I was on a customer call earlier today, and they were talking about a solution that they were trying to get their engineers to use. And it just did not work because they could not integrate it cleanly without friction into their DevOps workflows. And it's disliked by engineers.

Eddie: And then there's also high costs. I mean, there's high acquisition costs in implementing some of these solutions. There is a lot of management and implementation overhead because they are fragmented. These solutions are focused on different parts of the infrastructure and are not integrated into a single platform. So that's one aspect that makes securing infrastructure difficult. And this leads to why it's really important that we all need to think about how do we modify infrastructure access for modern times. What used to work 5, 10 years ago just does not work anymore. And a lot of that's due to cloud technologies, DevOps, and just how modern infrastructure is today. And there are many reasons why we want to modernize. But the one that I want to focus on today is really this one. And that is — identity has become the primary attack vector. 75% of cyber-attacks are now leveraging compromised or stolen credentials to execute identity-based attacks. So that's why for this particular talk today, I wanted to focus on just identity attacks because I think it's a very serious topic that we need to address.

How identity provider platforms can lead to infrastructure access vulnerabilities

Eddie: So let's talk about identity attacks. So first, let's think of a typical identity platform provider. They basically are able to authenticate that the person is who they say they are. In the case of Vanderspeigle — I forget what his actual character's name is — it looks like him, but we all know that it's really not him. And because the IDP provides a trusted relationship with all of the infrastructure, he's able to get in. So one aspect here is still an identity or compromised identity. But there's also something that's been in the news. And that was the second story that I told you about. And that is — what if attackers can breach the identity provider platform. This was of concern to Teleport so much so that we have been working with a security firm called Doyensec. And they did a lot of research around how can people help circumvent and minimize any attack on IDPs and what can be done to minimize those attacks. And they basically looked at three different levels of — or three different types of attacks on an IDP. The first one is non-privileged account compromise. And this has some limitations into what the attacker can actually do. They might be able to steal application data. They might be able to impersonate a non-privileged user. Still, these are very negative consequences. But they're kind of limited in scope.

Eddie: And the next thing that they looked at was — what if a privileged account was compromised. Well this gives the attacker more credentials and higher credentials. And they can actually do more damage within your organization. Not only can they steal application data and impersonate non-privileged users, but they can actually now start to spy on users and their activity, giving them access to very sensitive internal information. And they might even be able to downgrade application security. And finally, the most serious level of IDP compromise is when the IDP provider gets fully compromised. And this really gives the keys to the kingdom for the attacker with your infrastructure. So these are very real scenarios that we all need to be concerned about. And fortunately, between what Teleport has done and what Doyensec has researched, we think we have some solutions that will help you address some of these risks.

5 Best practices to harden your infrastructure – defense in depth

Eddie: So let's talk about some of the techniques, the best practices that you can use to implement a harder infrastructure — how can you do this with defense in depth. And these are some of the things that came out of the research that was done that we're excited to share with all of you. There are some very important tips that are practical advice. Some, you may have heard before. But some might be new. So I'm going to walk through what these five best practices are. First one is least privilege. I'm sure all of you — we've talked about that. It's not a new concept. But basically, we want to be sure, admin roles especially, that they get requested, approved, and signed to users only for the timeframe that that admin needs the access. And then the access goes away. So that's the first thing — is ephemeral administration permissions. The second aspect, and again, not completely novel, but the way we're approaching it is more of a novel technique, and that is require an MFA for administrative actions. So any administrative action should always require a multi-factor authentication step. And this will help further restrict impersonators from performing administrative actions like the state-changing actions. And with MFA, we are using things like built-in biometric sensors, either face ID, fingerprint ID. It could be external hardware token, USB token, or some kind of hardware authentication device, but again, very important in helping to prevent an impostor from gaining access to administrative privilege.

Eddie: And this one, per-session, phishing-resistant MFA, so we all know that a lot of critical systems, especially software systems, usually just require a username and password. Let's take a database as an example. We want to go beyond that and require that whenever that person accesses that database for that session, that there is a phishing-resistant MFA that's required. And one of the challenges for organizations is that a lot of those systems do not have MFA as an option. So this is something I'm going to talk about in the Teleport platform in a few minutes, that this is something that we can help do. And that is to enable per-session, phishing-resistant MFA for all of your infrastructure resources, so not just cloud systems and Windows servers and Linux servers, but databases and other kinds of software resources. We can configure those for dual authorization, especially for privileged roles. We can mandate that they're phishing-resistant for all users, not just some, or to have it not just be an option, but for everyone. And then we can implement WebAuthn as a second authentication factor. So this is the next best practice that we encourage organizations to follow.

Eddie: We talked about this one before. But I just wanted to bring it up again. But when we look at Access Requests, implement least privilege. So even if someone is able to breach your system, they don't necessarily have permanent admins privileges to any targets. And this is going to reduce your attack vectors. And Device Trust — this is one that I think a lot of people don't think about too often. But in a situation where an attacker has accessed a secret, a username and a password, and they are logging in from halfway around the world on a device that's not recognized, that's not a good thing. And this is definitely a best practice that can be put into place that has your infrastructure access control recognize if that device is trusted or not. And if it's an unrecognized device, it can be required to go through the MFA process to ensure that it is a device that you want to be on your network. So those are the five high-level best practices that we encourage our customers to implement.

How Teleport can provide infrastructure defense in depth

Eddie: And now I want to spend just a few minutes talking about who Teleport is and the Teleport Access Platform. So about us, we've been around for quite a few years. And our business is basically securing infrastructure access. We enable our customers to harden that infrastructure security by providing, on-demand, least privileged access. And we do that without having to store secrets in our system, so no passwords, no usernames. Instead, it's all based on cryptographic identity and zero trust. So this offers substantial advantages over older ways of handling that. And then we couple that access with identity security and policy governance. And we have large firms around the world that utilize and leverage our platform to ensure that their infrastructure is secure from things like identity-based attacks. And then when we look at the Teleport Access Platform, there's a couple of components to it. At the basic level, there is the platform that implements the access capabilities of what we do. And we can do things like authorization and audit, again, secretless-based authentication. It's always ephemeral privileges. It offers zero-trust networking with identity and protocol-aware proxies and reverse tunnels. It uses cryptographic identity, which is a more secure way of doing this. And we can protect not only users, but machines, workloads — workloads being things like databases or other software services. And we provide a dynamic inventory. So that forms the basis of what Teleport does.

Eddie: And then on top of that, we have a component that does Teleport Identity. That helps with governance. So it helps with access monitoring, Access Requests and reviews, along with identity locking and Device Trust. And finally, we have Teleport Policy, which also contributes to helping with governance by providing visibility into who has access to what resources in your infrastructure. This allows you to quickly determine if there is a secret access path that gives a user access to a resource that should not be accessible by that user — because you can now see the visual relationship between — this user can access this particular resource and from that resource can access another particular resource. And it also allows for policy enforcement. And that's the Teleport Access platform in a nutshell. And again, I don't want to get into a product-oriented presentation in this webinar. So I'm going to leave it at that.

Eddie: But I will talk a little bit about the benefits of the platform. So the first one that we hear from all of our customers is how much it's improved their workforce productivity. Especially when we go back to the challenge of — today's engineers are usually involved with cloud-based systems, cloud native-based systems. They do not want their productivity impacted. So this allows them to be more productive. They don't have to remember and keep track of secrets and where the secrets are stored. It allows the administration team to quickly onboard and offboard employees. It allows the administrators to determine if employees have access to certain resources that they shouldn't. Or in worst case, if there is a breach of a particular identity, they could quickly determine how many resources that person has access to. It also provides a single pane of glass across all of their infrastructure. So it doesn't matter if some of the infrastructure is cloud native, other pieces of infrastructure are Windows or Linux servers, SSH. All of these silos are bridged by the Teleport platform from an infrastructure access control perspective. And then we simplify how that access is managed and can control that access. This drastically reduces the overhead needed because it eliminates having to have people managing the different infrastructure access controls across your organization.

Eddie: Our platform can also help eliminate credential-based attack surfaces. So we can help eliminate the attacks where a particular user's identity has been compromised, their username and password has been compromised. It also helps by eliminating standing privileges. Our platform allows very easy standing up and standing down of privileges for certain resources. That reduces an attack vector because no longer does someone need to always have access to a particular resource. And then we can help you immediately remediate any kind of infrastructure, any kind of attack across all of your infrastructure by allowing you to determine who has access to what resources. And finally — and we hear this is an increasing requirement from our customers — it's the compliance aspect, that our customers need to pass audits. And there are many different kinds, from HIPAA to — you name it, in different regions, there are different regulatory agencies that our customers need to comply with. So by using our system, we check many of the boxes that meet the regulations that are needed around infrastructure access.

Eddie: And in the end, what our platform does is it allows for friction to be reduced between the engineering team and the security team. And this is something I've seen firsthand over the years to where engineers frequently try to avoid a lot of process. They try to avoid following the rules sometimes because it slows them down. And security teams can implement maybe some onerous types of security measures. And our platform basically eliminates that friction between those two groups. So I've only been able to touch on the surface of what we mean by defending against identity attacks using an infrastructure defense in-depth type of practice. But I wanted to point you to this particular resource. It's a white paper. It's largely based off of the research search that I mentioned before. And I encourage you to download it. And I think there's going to be really useful information in there for your organization. And then the other thing that I wanted to leave you with today is we're having our annual user conference in September in San Francisco. And we would love to have more of you attend. Even if you aren't a customer, we want like-minded people that are concerned about infrastructure access to attend because we learn from each other. And to encourage more people to attend, if you're on this webinar today, we're offering a 50% discount for the registration fee. Again, that's in September. And we already have a really exciting slate of topics that we're going to be discussing, not to mention those, but as well as the networking that is just happening during lunch and over breaks. But we would really love to see you there.

Q&A

Eddie: And with that, I have time for a few questions. And then I will give you back some time so you can get on with the rest of your day. So thank you so much for attending. And let me check to see what questions have come in. Okay. So first question is, "You mentioned phishing-resistant MFA per session," the question was — how can we implement this if our service doesn't support MFA. And I think I addressed this, but maybe not clearly enough. But basically, Teleport Access Platform allows you to do that, even if the underlying software service doesn't support that. Next question is around — does Teleport run in the cloud or on-premise. And the answer is both. We support both. So that is options for you. And then the third question is about — is there information on the user conference online. And there is. There is a URL right here that points directly to that users' conference. I forgot to add a QR code. So you can't scan it. But it's there.

Eddie: And let me see what else do we have. So someone asked about Yubico keys. And that was something I forgot to address at the start of the call. Yubico, unfortunately, had a conflict. And they had to not be able to participate today. And I briefly talked about hardware keys, which obviously, Yubico would fall in that area. But I didn't feel comfortable explaining any more about their solutions since their experts weren't able to participate in today's conference. So we apologize for that. It was a very last-minute change. And so yes, they weren't able to attend. And the last question I have, because I would like to finish this up in a half hour is, could you explain more about what Teleport means by machine — or I'm sorry, Device Trust. And again, Device Trust is just a way for us to be able to establish that a particular machine, be it a laptop, a server, et cetera, is trusted by infrastructure access control so that if an unknown machine comes into the network, we're able to flag that as being a device that's not trusted. So with that, I've kept us under 30 minutes. I really appreciate your time today. Thank you so much for attending. And if you have more questions that I wasn't able to get to, we'll be reaching out to all of you individually. So thank you a lot. And have an awesome day. Bye-bye.