Late last year, Microsoft posted a security writeup about the threat of token theft as attackers evolved to thwart the protections provided by MFA. I strongly suggest reading the full post from Microsoft. To defend against a token-based threat, Microsoft’s recommends a threefold approach: to protect, detect, and then respond and investigate. BeyondTrust provides several privilege access management (PAM) solutions that support or supplement Microsoft’s recommendations. Some of our best practices actually go beyond Microsoft’s recommendations to provide faster-to-implement solutions that can help you better secure your system.
In this blog, I provide a recap of the components of Microsoft’s token theft prevention tactics as they relate to the features of BeyondTrust’s Privileged Access management (PAM) solutions that can offer the best defense against a token-based attack.
What is a token attack?
Token manipulation is an attack technique commonly used by advanced persistent threats. Once the threat actor has gained access to a user’s system, they can use token manipulation to gain higher privileges on the victim's system or to impersonate another user and perform actions.
With more and more users moving to hybrid and remote-first work, HTTPS-focused communications and authentications centered around OAuth 2.0 tokens have become the primary methods for accessing corporate resources. This means that creating or stealing a token is the focal point for attackers to access these resources.
With MFA authentication becoming mandatory for many companies, creating a token is becoming impossible for attackers, so token theft becomes the next attack.
Common token attack methods
The two primary token-based attacks are Attacker-in-the-Middle (AitM) and Pass-the-Cookie (PtC) attacks. Both of these require attacks against the user’s web endpoint device/browser (phishing / infrastructure / malware).
The best ways to defend against a token-based threat
1. Eliminate token access
Microsoft provides many suggestions on how to “reduce” the attacker’s access to the token. We recommend taking this a step further to “eliminate” the attacker’s access entirely. Tools like BeyondTrust Password Safe and Privileged Remote Access (which are part of our Total PASM Bundle), implement RemoteApps and WebJump technologies to physically separate the privileged token from the end-user’s desktop (and AitM and PtC malware and infrastructure).
By adding in the “Rotate on Release” features of Password Safe, the token is immediately invalidated upon end-of-session. This further minimizes the window of opportunity whereby the attacker can steal and reuse the token.
With the Privileged Remote Access WebJump and Password Safe, the Endpoint Credential Manager (ECM) Integration, “Rotate on Release” can be extended to WebJump access as well, providing end users with remote-friendly access to resources in a fully secured environment. This implementation affords the highest protection against token theft, since the affected token cannot be stolen from a remote endpoint that never uses nor receives it.
In this scenario, three important details help to fully eliminate token access:
- On the front-end, some customers will worry about the token used for access to Password Safe or Privileged Remote Access themselves. Note that the Password Safe token lifetime is 15 minutes, NOT the 2 weeks that an AzureAD logon token is good for. Privileged Remote Access tokens are, through the thick client, useful for longer times.
- The second thing to be aware of is that properly configured Password Safe or Privileged Remote Access environments don’t release privileged secrets to users. Instead, they release recorded access to privileged activities. This means an attacker must accept using a brokered, recorded session to perform their activities, and therefore is not just exposing, but offering, their methods, materials, and techniques to the defender through the recording infrastructure.
- The third thing to recognize is that Password Safe, in particular, provides the ability for defenders to lock, and not just terminate, sessions in progress. Doing so freezes attackers in their tracks, while maintaining a complete forensic record.
All these points demonstrate the paramount importance of reducing “View Password” style access to secrets for defenders who are applying the “prevent” answer to token theft.
When customers hear “token theft,” they sometimes ask about the “username” token for Password Safe recorded sessions. This refers to the link or RDP file data, which includes a 65-character cryptographically generated code in the “username” field. Password Safe passes this data down to the requesting user via HTTPS protected by TLS 1.2 (and soon to be TLS 1.3). Password Safe allows the holder of this code 30 seconds (by default) to open the recorded session in question.
While theft of this token by an attacker who has full access to the endpoint is theoretically possible, there are two important limitations:
- The token is a one-time-use token. If the user uses it first, it’s unavailable to the attacker. If the attacker uses it first, the user’s re-request of the token will take over the attacker’s RDP session.
- The token lifetime of 30 seconds is exceptionally short (compared to the 2 weeks of AzureAD OAuth tokens), and is configurable in the Password Safe application.
2. Limit Access to Known protected devices
BeyondTrust provides the class-leading BeyondTrust Privilege Management for Windows and Mac to protect endpoint systems from all variety of malware attacks by implementing least privilege access and layering on application. Here’s how it works:
- Removing end-user administrative rights eliminates malware’s ability to establish the required foothold to run token-stealing malware.
- By recording application launches, BeyondTrust can detect malware access and launch and alert on it on a per-endpoint/per-user basis. Thus, the ability for attackers to establish malware to steal tokens in the first place is not just squashed, but also recorded.
- Lastly, for customers who need the ultimate of assurances, BeyondTrust EPM-protected Privileged Access Workstation (PAW) laptops, following Microsoft’s latest best practices, deploy TPM-protected virtual Smart Cards. When these Smart Cards are issued only to PAW accounts logging into PAWs, then the rest of the infrastructure can trust that the PAW user is who they claim to be from a trusted source. TPM-protected virtual Smart Cards therefore allow both Privileged Remote Access and Password Safe to validate that the user accessing those solutions is coming from a trusted PAW, permit only the PAW users access to the most critical resources, and ensure the user running on the PAW is protected against the widest array of threats on the landscape.
Ready to protect your network against token-based threats and other advanced persistent threat tactics? Contact us to learn more about we are evolving our PAM solutions to meet the intelligent identity and access security needs of our users.
Robert Auch, Senior Implementation Architect
Robert Auch is a Professional Services Security Architect who has been delivering security designs and installations for BeyondTrust customers for more than a decade. His recent focus has been multi-platform solution security for global financial institutions. Robert has only visited 5 continents.