Token Takeover: Stopping Session Token Abuse With CylanceEDGE
Stopping unauthorized access is one of the most fundamental problems in cybersecurity. It’s hard to find a one-size-fits-all solution since adversaries might use so many tactics to breach a target system. However, there’s a significant vulnerability that is often overlooked, which lies at the heart of many authentication systems: session token abuse.
Session token abuse happens when an attacker gains control of a user's access token. This control is typically achieved through spear-phishing campaigns and then by injecting malicious code into the system or initiating a new process with the credentials of a compromised user. Next, threat actors escalate privileges so they can move laterally through the environment undetected until they can operate with the same permissions as a privileged user. Once they reach this level, they authenticate themselves locally and across the network using stored credentials. In a single sign-on (SSO) scenario, the identity provider (IdP) will accept the stolen token, allowing the attacker unrestricted access to multiple applications.
Session tokens are essential for maintaining user sessions in many applications and services, making them a popular target for attackers. At the same time, today’s massively distributed applications and highly mobile workforce make this class of attack difficult for defenders to detect and stop.
Using SSE to Reduce the Risk of Token Abuse
With these realities, Security Service Edge (SSE) solutions such as CylanceEDGE™ are increasingly important in defending modern authentication systems. BlackBerry has been a leader in protecting identities throughout its history, with teams dedicated to ensuring the security of customer accounts and the use of best practices of secure authentication for the company’s products and services. In this blog, we will review real-world incidents where session token abuse has led to significant security breaches, and then explore the role that SSE solutions play in strengthening defenses and building systems that are robust, easy to use, and adaptable to the shifting threat landscape.
Session Token Abuse Is an Increasing Threat
A recent high-profile breach of an identity provider (IdP) turned a spotlight on session token attacks. In October 2023, after receiving inquiries from a number of customers about suspicious activity, the identity and access system provider disclosed that an unnamed hacker had used stolen credentials to access its support case management system. Buried within many of the HTTP archive files uploaded by affected customers were session tokens, which the threat actor was able to extract and use to compromise a number of customer accounts.
As the investigation continued into November 2023, the company identified 134 affected organizations, including multiple service providers in the cybersecurity and IT management space, who were directly affected by session token theft.
While that breach received much attention due to its widespread impact, there have been other recent examples of session token abuse as well. One of these situations allowed attackers to exploit session tokens by leveraging a vulnerability in a popular remote access infrastructure management product. The attackers were able to maintain persistent access to the target network, even after users had logged out.
In another example, a large media conglomerate disclosed that hackers exploiting this vulnerability accessed the sensitive information of almost 36 million of its customers. Some ransomware operators are also known to use this tactic, including LockBit affiliates.
A popular developer platform has also had public struggles with token abuse. In April 2022, attackers managed to hijack OAuth tokens issued to third-party integrators and exploited the tokens to gain unauthorized access to several repositories. This incident introduced a significant threat to numerous organizations that rely on the platform provider for their code management.
These cases are textbook examples of how token hijacking can have a cascading effect, where a small initial foothold ends up endangering an entire network of interconnected systems and services.
How CylanceEDGE SSE Defends Against Session Token Abuse
In the face of these abuses, it’s clear that traditional legacy security measures are not adequate to defend against this class of modern threats. CylanceEDGE consolidates a variety of security services, including zero trust network access (ZTNA), secure web gateway (SWG), and cloud access security broker (CASB) capabilities into a single solution that secures access to today’s distributed applications and users. It provides a rich set of capabilities that help defenders mount a robust defense against session token abuse. These capabilities include:
Continuous Authentication and Authorization: One core tenet of a zero trust security architecture is the concept of continuous authentication, shifting away from traditional sessions and idle timeouts. CylanceEDGE empowers organizations with a dynamic approach to authentication by constantly evaluating user activities and context, rather than treating authentication as a one-time event. This continuous evaluation process dramatically reduces the risk associated with compromised session tokens.
IP Pinning and Session Binding: CylanceEDGE delivers enhanced security through IP pinning and session binding, linking session tokens to specific user attributes like IP addresses. This technique makes it much harder for attackers to misuse stolen tokens, as they must also closely mimic the original user’s environment.
Diversifying Authentication: Too often, organizations adopt a one-size-fits-all approach to authentication systems. Unfortunately, not all authentication requirements are created equal: Balancing cost, risk profile, and convenience for each potential use case is critical. CylanceEDGE SSE (security service edge) allows organizations to easily mix identity providers for authentication, authorization, and multi-factor authentication (MFA). This allows for tailoring security measures to meet the specific needs and risk profiles of different user groups and applications.
Zero Trust Network Access: By incorporating ZTNA principles, CylanceEDGE enables organizations to implement network segmentation. This strategy is crucial in containing the damage in the event of a breach. By ensuring that users have access only to the network resources they need, ZTNA minimizes the potential impact of compromised session tokens and helps prevent attackers from moving laterally across the network.
Deep Visibility for Monitoring and Investigations: Finally, CylanceEDGE provides deep visibility into user activities and authentication events. This level of monitoring is essential for detecting unusual patterns that may indicate token abuse. The platform’s investigative capabilities allow organizations to quickly respond to and mitigate potential security incidents, ensuring that any abnormality in token usage is quickly addressed.
Stop Identity-Based Cyberattacks with an SSE Approach
The abuse of session tokens and other identity-related exploits presents a significant and often underestimated cybersecurity threat. The incidents cited in this blog are not just isolated events — they are part of a larger pattern of identity-based threats that modern enterprises face, and they highlight the need for a dynamic, adaptive approach to authentication and session management. Adopting a solution like CylanceEDGE can represent a strategic move toward strengthening your organization’s defenses.
We invite you to experience the benefits of CylanceEDGE firsthand. A free trial is now available to evaluate the product’s innovative ZTNA capabilities, which are designed to reduce the risk of a damaging breach while streamlining the end-user experience and decreasing administrative burdens. It can help transform your approach to authentication and identity security, and safeguard your enterprise in the face of ever-evolving threats.