Over the last week, Cloudflare has published blog posts on products created to secure our customers from credential stuffing bots, detect users with compromised credentials, and block users from proxy services. But what do we do inside Cloudflare to prevent account takeovers on our own applications? The Security Team uses Cloudflare products to proactively prevent account compromises. In addition, we build detections and automations as a second layer to alert us if an employee account is compromised. This ensures we can catch suspicious behavior, investigate it, and quickly remediate.
Our goal is to prevent automated and targeted attackers regardless of the account takeover technique: brute force attack, credential stuffing, botnets, social engineering, or phishing.
Classic Account Takeover Lifecycle
First, let's walk through a common lifecycle for a compromised account.
In a typical scenario, a set of passwords and email addresses have been breached. These credentials are reused through credential stuffing in an attempt to gain access to any account (on any platform) where the user may have reused that combination. Once the attacker has initial access, which means the combination worked, they can gain information on that system and pivot to other systems through methods. This is classified as lateral movement. With one password leaked, there is the potential for a completely unrelated company to incur in a breach where an unauthorized user signs in and exfiltrates data.
Another vector for account takeovers are phishing emails with links that are sent to employees with the aim to harvest credentials. A common tactic used by attackers is Evilginx, a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. By creating a page similar to the company’s login portal, the attacker can intercept traffic and harvest the credentials put into the page. Once the credentials are captured, they immediately login as the user, exfiltrate information, and attempt to compromise related systems/accounts. As phishing email filtering has improved, attackers attempt to vish, a method of social engineering over a phone call, employees to get them to visit a malicious website such as the one mentioned above.
The two most common ways to add additional verification are through using a Time-based One-Time Password (TOTP) or verification code via text message (SMS) as a multi-factor authentication option. TOTP generates a one-time password which uses the current time as a source of uniqueness. These are commonly obtained from a mobile application such as Google Authenticator. Neither of these methods of multi-factor authentication would protect from account takeovers as attackers are able to use social engineering tactics to convince an employee to provide the TOTP or SMS. Additionally, attackers can perform SIM-swapping, a tactic where a phone carrier is tricked into assigning another person’s phone number to a new device, in order to get the verification code sent to a device they have.
Account takeovers are a real threat to companies and their users. Let’s walk through some tangible examples of compromises and how they can be prevented on multiple levels using Cloudflare.
Account Takeover in Action
In 2020, an example of the impact of an account takeover was demonstrated when an attacker was able to hijack Twitter employee login credentials and then access dozens of verified Twitter accounts. A Florida teenager spoofed an employee’s phone number by SIM-swapping, a tactic where a phone carrier is tricked into assigning another person’s phone number to a new device. Then he social engineered a Twitter employee by pretending to be a member of their IT department. Once the employee was convinced, he guided them to a phishing page that resembled Twitter’s Okta login portal. Once the employee put in their credentials to the seemingly legitimate page, the attacker was able to use them to gain access to Twitter’s systems. This attack was possible due to the use of SMS and/or TOTP for multi-factor authentication. If the Twitter employee had a U2F hardware security token, such as a YubiKey, the attacker would have entered the stolen credentials then been prompted to touch a physical key in order to gain access, which would have been impossible without the employee’s key.
In this scenario, a company could adopt Cloudflare Access to lock down access to internal systems to company-issued devices and use granular access policies to limit which accounts can be accessed by each user group. The policies can be used to force employees to authenticate with a U2F hardware security token and block all events that use TOTP/SMS.
In 2018, a data breach compromised MyFitnessPal user data including passwords. Two years later, the breached data was used to coordinate credential stuffing attacks on two insurance companies: Independence Blue Cross and AmeriHealth New Jersey. The credential stuffing attacks resulted in unauthorized access to user insurance information including claims. This example illuminates how any company can be targeted for account takeover tactics.
Cloudflare’s bot solutions — including Super Bot Fight Mode, which launched today — could have been utilized by the insurance companies to block credential stuffing proactively. Internally the insurance companies mentioned could have enabled Exposed Credential Checks in WAF to check for breached user passwords and prompt them to change their password.
Using Cloudflare to Secure Cloudflare
Through Cloudflare products, many of the typical account takeover vectors are blocked. This helps the Security Team focus our attention on building our internal defenses against Cloudflare-specific attacks.
For example, Cloudflare Gateway allows us to proactively block potentially malicious domains in a simple UI rule builder. By blocking these categories on corporate endpoints, we lower the risk that an employee will visit a known threat.
When there is a new domain that the Security Team observes is attempting a credential harvesting attack, we can then proactively block it using a blocklist in Gateway. This prevents the endpoint from resolving the site even if the employee accidentally navigates to it. Many security tools provide the ability to block by IP address; however, in addition to IP blocking, we also block by domain name in order to respond quickly to attacks. By blocking the domain, if an attacker deploys the same site on new IP addresses, we have already mitigated the risk of someone visiting the site.
Internally, all Cloudflare employees are required to use a FIDO2 hardware security token to authenticate to any company resource. This protects internal systems from many of the pitfalls that make account takeover easier.
In addition to the hardware token requirement, the Security Team is using Cloudflare Access to enforce only managed corporate devices are able to connect to internal systems. The managed rules can be configured to allow or block based on a combination of factors such as the multifactor method and the geography of the IP address used. The Security Team is able to switch from a reactive to proactive approach by blocking authentication events from non-corporate devices, countries where we don’t have employees, or events that use SMS/TOTP instead of a U2F hardware security token.
Adding an Internal Layer of Protection
In addition to Gateway features, the Detection & Response Team exports Gateway & Access logs to further enrich, correlate, and develop detections on the raw events alongside other internal system logs. By combining all of our logs into an internal pipeline we have the opportunity to build custom detections and incident response automation.
In relation to account takeovers, our team has focused on building detections focused on initial access techniques as a second layer of protection on employee accounts.
Some examples of account compromise focused detections are:
- A login or other authentication event to an internal system from a VPN.
- A change in employee's multi-factor authentication token and use of a new device.
- A login or authentication event from an unfamiliar IP address.
- A login or authentication event from an IP address in a located high-risk country.
- An authentication event with a multi-factor authentication soft-token to an internal system.
- Any event from an IP address associated with known threat actors.
However, there are many variations of behavior patterns that could signal an account compromise. Instead of using static detection rules for all of them, the Detection & Response Team has prioritized building machine learning models that aid in detecting anomalous authentication behavior for employee accounts.
Risk signals are patterns that can indicate malicious behavior and are used to determine how likely that behavior is truly malicious. Every company has some of the same security risk signals for detecting account compromises; however, it can differ greatly depending on their infrastructure. Combining Cloudflare's Security products with our own engineering allows us to have seamless protection for external and internal facing systems.
Influencing the Product Roadmap
As Cloudflare expands their security suite of products, the Security Team as a whole works closely in influencing the product roadmap. We are able to provide actionable insights into all the controls and detections required to effectively mitigate and respond to current cyberattacks. Through a feedback loop of communication and collaboration, we share our internal strategies with product teams and then dogfood the products built at Cloudflare to ensure they are helpful in protecting our employee and customer data.
Cloudflare is a place where new ideas are welcomed and discussed in order to ensure our products are an asset to Security & IT teams that are using them. It's empowering to be part of that journey!
Account takeovers are one of the most commonplace cybersecurity attacks, but you can quickly improve the maturity of your security program by putting in place mitigations focused on initial access. These mitigations stop the attacker at the “reconnaissance” stage of the cyber kill chain, an attack phase-model created by Lockheed Martin and expanded on through the MITRE ATT&CK framework.
So what's the best strategy you can take to protect your organization’s enterprise security?
Make the account takeover attack as difficult as possible to execute.
At Cloudflare, we enforce security policies focused on account security, these include hardware security token enforcement for multi-factor-authentication, strong password complexity, proactive blocking of known bad domains, and bot protection on external facing sites. Each of these mitigations are aimed to disrupt the beginning phases of the attacker's kill chain.