The National Security Agency (NSA) late last week released new guidance on cloud security to defend against cyber threats that manipulate authentication environments.
The Detecting Abuse of Authentication Mechanisms advisory provides guidance to National Security System (NSS), the Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators. It aims to “detect and mitigate against malicious cyber actors who are manipulating trust in Federal authentication environments to access protected data in the cloud.”
The advisory discusses detection and mitigation of “two tactic, technique, and procedures” (TTPs) to forge authentications and gain access to cloud resources. One such TTP includes the actors compromising on-premises components of a federated single sign-on (SSO) infrastructure and steal credentials or keys that are used to sign Security Assertion Markup Language (SAML). The second TTP sees threat actors leveraging “a compromised global administrator account to assign credentials to cloud application service principles.”
NSA notes that the TTPs don’t necessarily constitute vulnerabilities in design principles of federated identity management, SAML protocol, or on-prem and cloud identity services. Rather, NSA says they show that the security of identity federation in any cloud environment directly depends on trust in on-prem components that perform authentication.
“Mitigation actions include hardening and monitoring systems that run local identity and federation services, locking down tenant [SSO] configuration in the cloud, and monitoring for indicators of compromise,” NSA said in a press release. “NSA remains committed to providing timely, actionable and relevant guidance, and is partnering across the public and private sectors in ongoing incident response efforts.”
