Protect Against Adversary-in-the-Middle with Cisco’s User Protection Suite


In the blog, Understanding & Defending Against Adversary-in-the-Middle (AiTM) Attacks, we reviewed the basics of an AiTM attack and how Duo can protect against it. To recap, in an AiTM attack, the attacker sits in between the user and the real web page and steals a user’s valid session cookies. This means that they can bypass traditional authentication controls.

Talos, Cisco’s Threat Intelligence Group, reported on AiTM attacks back in 2019 as a method to steal user credentials and most recently in the blog, ‘How are attackers trying to bypass MFA?’ AiTM attacks are a real concern for many organizations as they are difficult to prevent and on the rise. Microsoft also found that domains associated AiTM phishing quadrupled from 2022 to 2023.

The strongest Duo protection against AiTM attacks is to use phishing–resistant authentication based on WebAuthn standards, paired with Duo’s Trusted Endpoints device trust policy. When the user authenticates using passwordless, it creates a keypair where the private key to unlock application access is stored in the device itself (and cannot be intercepted). Additionally, Trusted Endpoints, which prevents unknown or unmanaged devices from accessing applications, stores the trusted user’s registration in the Trusted Platform Module (TPM) for Windows devices, or Secure Enclave for Mac. By utilizing security on the device itself, this protects the user from an AiTM attack.

Secure Access: Secure Protocols

While Duo is a good first step in protecting against AiTM attacks, it’s important to take a layered approach to user protection. This means using a consolidated authentication and access solution to protect against attackers. Cisco’s Security Service Edge (SSE) solution, Secure Access, provides that extra layer.

Secure Access was built on a new protocol, MASQUE, which enables users to access resources through a stream session, rather than a tunnel. In traditional protocols, a user would use Transport Layer Security (TLS) to access resources. While this provides some level of encryption (and security), it does not fully separate the endpoint from the corporate network.

MASQUE, on the other hand, uses the QUIC protocol based on http/3 (although it can seamlessly fall back to http/2 and TLS if QUIC is not supported). When QUIC brokers the connection between a user and an application, the user is routed through an identity aware proxy. This removes the IP address of the application and makes it blind to the endpoint. Instead, QUIC randomly assigns the application IP address to establish the connection to the MASQUE proxy. This address assignment is per app and per connection completely obfuscating the IP network that the application is on from the user.

Secure Access vs. AiTM

So, how does this new protocol protect against AiTM? When a user enrolls in Secure Access, a certificate is issued to that device for that user. It also generates a private key, stored in the TPM or Secure Enclave. This private key will never leave the hardware bubble and will always be associated with that user on that device.

The user is re-issued a new certificate every few weeks, which rotates the private key on the device. In addition, the mechanism called Demonstration of Proof of Possession (DPoP) helps tie the user identity to device.

When a user logs into Duo Single Sign-On and does a SAML authentication, that user gets a cookie to enable the user session. DPoP creates a private keypair on the device and then binds the cookie with the device bound credential. Every time the user presents the cookie, they have to present the DPoP public key. That means that no attacker in the middle can intercept the trusted user’s cookie and reuse it for malicious purposes.

Essentially, both Duo and Secure Access utilize the most secure part of the device to broker trust between you and the sensitive applications you are accessing, thwarting traditional AiTM attacks. This demonstrates the value of a layered approach, to protect your organization’s resources and provide tools to secure users without getting in the way of business.

Partner with Cisco: User Protection Suite

With Cisco’s User Protection Suite, users gain access to both Duo and Secure Access through one central console, the Security Cloud Control. This makes it easy to begin your security journey and better protect end users. The User Protection Suite also includes Email Threat Defense to protect against attackers in your inbox, and Secure Endpoint to protect users on their devices. To learn more, connect with an expert today.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:





Source link