If your enterprise account recovery process relies on service desk agents asking a few security questions or verifying via callback, attackers are already ahead of you. GetReal Security Head of Threat Research Tom Cross recently touched on this explaining that many enterprises’ account recovery processes are not sufficient to protect against threat actors’ continuously developing tradecraft in this arena.

“There’s an ongoing arms race with threat actors who target credential reset and will continue to do so,” Tom says. “Many practices in place today aren’t solving the problem, but enterprises with process discipline and technology enabling them to know their employees better than attackers do will gain an asymmetric advantage.”

Below is an overview of Tom’s advice for enterprises looking to defend themselves against attackers’ newest innovations in IT service desk social engineering.

Credential Lifecycle Threat Landscape

The workforce credential lifecycle breaks into five facets for the purpose of our discussion:

Credentials are issued at employee onboarding
The credentials are used by employees each day
In some cases delegate keys attached to those credentials, such as API keys or GitHub personal access tokens, are issued
Credentials are re-issued when an employee loses a device
When an employee leaves the company, credentials are revoked

Each facet of this lifecycle is under attack. And some of them are examples of the most prominent cybersecurity attacks that have occurred in the past five years or so.

Credential Lifecycle Threat Map

Every phase of a credential's life is a potential entry point for attackers — from first issuance to the day it's revoked.

Attacks on Credential Issuance

DPRK IT workers not only generate revenue for the North Korean state, their victims issue them credentials granting them insider access to corporate systems. From there, they may steal IP, sensitive data, or cryptocurrency. stage ransomware.

Attacks on Credential Use and MFA

MFA fatigue attacks consist of attackers, having stolen an employee’s credentials, repeatedly attempting to log-in resulting in overwhelming an employee with push notifications on their mobile device. The end goal is to annoy the employee so much that they approve a request out of frustration, granting an attacker access. Protections exist such as number matching to help mitigate these attacks.

We’re also seeing a large volume of session hijacking attacks. In these attacks, fraudsters will clone an enterprise’s corporate log-in page on the internet and send phishing emails to employees requesting that they log in. Employees that are deceived will enter their credentials and MFA information and that information is quickly submitted to the actual corporate log-in page, a live session is established, and the threat actor now has access to the corporate network.

Attacks on Delegate Keys

Delegate keys typically reside on developer laptops and those laptops can be compromised. Or, a developer may check code out from GitHub from an unmanaged personal computer that is compromised. When an attacker gets their hands on a delegate key, they can then check-in malicious code that will get deployed into an enterprise’s production environment.

Attacks on Credential Re-Issuance

The most well-known example of credential re-issuance process exploitation were the attacks on MGM Resorts resulting in a USD $100 million loss that began with IT service desk social engineering. Scattered Spider operatives posed as employees, called into the help desk, and persuaded agents to reset credentials and MFA assignments allowing them to access corporate systems and deploy ransomware. A similar attack also attributed to Scattered Spider and targeting IT help desks with social engineering interrupted UK retailer Marks and Spencer’s e-commerce for more than a month and cost at least USD $400M.

Attacks on Credential Revocation

If a credential has been compromised and you revoke it, but the threat actor still has access to your environment for another 24 hours because a session remains alive, that will be a long 24 hours. Excessive session lifetimes leave enterprises exposed.

Remote Work Accelerates Attacks on Credential Issuance and Reset

Because we do more remote hiring than we used to and because more employees work remotely, credential issuance, via candidate fraud, and account recovery or credential reset are more vulnerable. In-person verification can help, but isn’t realistic for many enterprises which means the problem needs to be solved another way.

The Cat-and-Mouse of Controls and Circumvention

Callback verification can be bypassed with SIM swap. Voice biometrics can be defeated by audio deepfakes. Video verification can be circumvented by face-swap attacks. Each time an organization adopts a new control, attackers find a workaround. Process discipline and technology that continuously verifies identity across interactions are the only defenses that keep pace. And continuous identity verification is different because it builds a deeper understanding of an employee across every interaction over time, creating an evolving target that’s harder to replicate.

Enterprise Account Recovery Security: Building a Resilient Process

Building resiliency against attacks on your account recovery process starts with three things: guardrails that ensure help desk staff follows process and logs it for audit purposes, a requirement that a real human (such as the requester's manager) joins a call to vouch for them, and automated deepfake detection paired with continuous identity verification.

Strengthening Enterprise Account Recovery with Deepfake Detection and Identity Verification

The end goal for an enterprise should be to know their employee better than an adversary can by stitching together from LinkedIn profiles and breached data sets – and so – be better able to recognize an authentic employee than a cybercriminal can duplicate them. That requires a combination of relationships and process, but also AI-powered technology.

The GetReal Trust and Authenticity Platform delivers exactly that — forensic-grade deepfake detection combined with continuous identity verification across all digital interactions and channels over time – the exact interactions and channels attackers use to exploit the credential lifecycle. That way IT service desk staff can stay focused on serving employees with the platform handling the rest.

Ready to see it in action? Get a demo.