Stolen Tokens Enable Zero Trust Bypass

- Attackers often employ "pass-the-cookie" attacks, where they steal a user's session cookie after a successful login to bypass authentication, including multi-factor authentication. This stolen cookie can then be used in a separate browser session to gain full access to the user's account and web applications. - Malware is a primary vector for token theft, with variants like Emotet specifically designed to steal cookies and other credentials directly from a user's web browser storage. Once malware infects a device, it can exfiltrate valid session tokens, which attackers then use to impersonate the legitimate user. - A sophisticated technique known as "Golden SAML" allows attackers to forge their own authentication tokens. After compromising a federation server like Active Directory Federation Services (AD FS), an attacker can steal the private signing key and create SAML tokens for any user with any level of privileges, granting them access to federated cloud applications. This method was notably used in the SolarWinds breach to access Microsoft 365 and Azure accounts. - Adversary-in-the-middle (AiTM) phishing attacks are a common precursor to token theft. Attackers set up a proxy server between the user and a legitimate login page to intercept the authentication process and capture the session token after the user has successfully authenticated. - In October 2023, the identity and access management provider Okta suffered a breach that led to the theft of authentication tokens. Subsequently, attackers used these stolen tokens to breach the systems of other companies, including Cloudflare, on Thanksgiving Day 2023. - To mitigate these attacks, security professionals recommend implementing phishing-resistant multi-factor authentication methods like FIDO2/WebAuthn, which bind the authentication to the hardware. Additionally, continuous session monitoring for suspicious activities, such as impossible travel or changes in device information, is crucial for detection. - Conditional Access policies that enforce device compliance and trusted IP locations can significantly reduce the risk of stolen token replay. These policies ensure that even if a token is stolen, it cannot be successfully used from an untrusted or non-compliant device or a suspicious network location. - Forcing regular re-authentication and keeping token lifespan short can limit the window of opportunity for an attacker to use a stolen token. Revoking refresh tokens after use and securely storing them on the server-side, rather than in local browser storage, are also key preventative measures.