NSA offers help detecting malicious authentication
In response to ongoing cybersecurity events, the National Security Agency (NSA) released a Cybersecurity Advisory on December 17 titled, “Detecting Abuse of Authentication Mechanisms.” This advisory provides guidance to National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to detect and mitigate against malicious cyber actors who are manipulating trust in federated authentication environments to access protected data in the cloud. It builds on the guidance shared in the cybersecurity advisory regarding VMware with state-sponsored actors exploiting CVE 2020-4006 and forging credentials to access protected files, though other nation states and cyber criminals may use this tactic, technique, and procedure (TTP) as well.
This advisory specifically discusses detection and mitigation of two TTPs to forge authentications and gain access to a victim’s cloud resources. While these TTPs require the actors to already have privileged access in an on-premises environment, they are still dangerous as they can be combined with other vulnerabilities to gain initial access, then undermine trust, security, and authentication. Initial access can be established through a number of means, including known and unknown vulnerabilities. The recent SolarWinds Orion ® code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access.
Mitigation actions include hardening and monitoring systems that run local identity and federation services, locking down tenant single sign-on (SSO) configuration in the cloud, and monitoring for indicators of compromise. NSA remains committed to providing provide timely, actionable and relevant guidance, and is partnering across the public and private sectors in ongoing incident response efforts. Releasing this advisory with further technical guidance allows NSA’s customers to apply preventative measures to the fullest extent along with the detection and mitigation actions.
Read the full advisory here.
Read the abridged version here.