At the beginning of 2021 CISA (the USA Cybersecurity and Infrastructure Security Agency) stated that there is an increase of attacks targeting cloud environment configurations occurring as a result of the increase in remote working.
The fact is that more and more corporate and personal devices are used simultaneously to access cloud services and that opens a stage for various malicious actors to utilize an array of criminal tactics to access data. Usual vectors of attack are brute force login attempts and phishing attacks but there is also a noted increase in what has become known as pass-the-cookie attacks, a relatively new method of cybercrime.
So let’s learn more about pass-the-cookie attacks and how can you prevent them.
What are pass-the-cookie attacks?
Cookies are an integral part of online life. Though you might be aware that selective cookie deletion can help to find better deals on flights and hotels, due to the way data is stored, when we start looking into the complexities and possibilities for cybercrime that cookies create, it becomes increasingly clear that attacks which rely on cookies can be used to compromise assets, steal data and reach deep into databases to access sensitive information.
In pass-the-cookie attacks, cybercriminals can use stolen session cookies (also known as transient cookies) to authenticate themselves with web services, thus bypassing security measures like MFA because the session has been authenticated. It isn’t hard to see the logic behind this. After all, such cookies are essentially a measure of convenience, which stops credentials from being passed on and ends the need for regular re-authentification. As such, they tend to remain valid for some time.
Should these cookies fall into the wrong hands, however, they can be imported into a cybercriminal’s browser, allowing them to continue to access a site or app for as long as the cookie is activated. Cookie forging attacks of this kind provide plenty of time to move laterally through a site, gaining access to sensitive data and emails or enabling the criminal to perform all kinds of other actions.
Despite being a relatively little-known term, pass-the-cookie attacks aren’t exactly a new approach. Indeed, according to information security experts, they’re a reasonably standard form of infiltration. Cybercriminals skilled at gaining access to session cookies will continue to use them as part of their arsenal alongside malware such as cookie miners and similar methods.
How to counter pass-the-cookie attacks?
There are no fool-proof methods for avoiding attacks all the time. However, with the use of vulnerability management best practices, common sense, and company security protocols which keep the ever-changing landscape of cybercrime in mind, there are ways of mitigating risk and keeping your data safe.
When it comes to pass-the-cookie attacks, there are several ways to increase your data security. However, it’s important to note that – once again – none can guarantee absolute protection, and none are without their drawbacks. Despite this, any effort to outwit the cybercriminals is often enough to put off opportunists and increase your peace of mind.
Let’s have a look at four of the best ways of increasing your system’s safety.
1. Make use Of client certificates
It’s always a good idea to give users a persistent token that will then be securely stored on their system and which can be used for every subsequent server connection. Most administrators achieve this by making use of client certificates stored in their profiles on the system.
This is generally regarded as one of the most secure options for combating pass-the-cookie attacks. However, logistically it presents several issues. For start, it can only be used for applications with a limited number of users – for example, for systems run by business partners who require access to internal online applications or a B2B system. As soon as you consider scaling this option, it isn’t difficult to see where the problems arise. As such, it wouldn’t be suitable for eCommerce sites, where potential audience numbers stretch to global proportions.
2. Use dynamic tokens
Dynamic tokens, which change at regular intervals, are another potential option. By reducing the window of opportunity for a breach, they limit cybercriminal activities, as there generally isn’t time to leverage the token before it becomes invalid.
It is, of course, important to mention that limiting the opportune time for an attack is not the same as mitigating an attack, and today’s cybercriminals tend to be precise, fast-acting, and aware of how dynamic tokens affect their operations.
3. Require further identifying criteria
Another option is to add further context besides the token to verify the identity of a request. Many companies, for example, use a source IP address of each request in this way.
Again, there are problems here. Proxies are commonly used by cybercriminals, which shields their identity. Should the cybercriminal attack from within the same public place or organization (for example, in a cafe or company building), then both the attacker and the victim will be using the same IP, thus both being identified as legitimate users.
4. Browser fingerprinting
Making use of browser fingerprinting has garnered no shortage of controversy. In much the same way as cookies do, fingerprinting allows for user tracking but without providing the user an option to refuse. As we know, cookies can be easily disabled or refused, yet fingerprinting removes this element of choice and is as such a less popular option.
Despite this, fingerprinting is still one of the most convenient methods for adding an element of identifying context to any request and ensuring the user is exactly who they claim to be.
There’s no doubt about the fact that pass-the-cookie attacks are on the rise or that cybercriminals continue to keep pace with efforts to prevent them. With the right approaches, an insistence on consistent security protocols, and adversarial thinking when it comes to safety and data privacy, there are solid solutions to protect data from this type of crime.