Another year, another new set of cybersecurity threats to overcome, outwit and mitigate against. At the beginning of 2021, the cybersecurity world was informed by CISA (the USA Cybersecurity and Infrastructure Security Agency) of a spate of attacks targeting cloud environment configurations, supposedly occurring as a result of the increase in remote working.
Once you add to the mix the fact that corporate and personal devices were being used – often simultaneously – to access cloud services, the stage was set for various malicious actors to utilize an array of criminal tactics to access data. Among the usual brute force login attempts and phishing attacks, there was a noted increase in what has become known as ‘pass-the-cookie’ attacks, a relatively new method of cybercrime which it would be a good idea to become familiar with if you aren’t already. While the U.S. federal regulation of cookies goes some distance towards assisting with the mitigation of attacks, we need to stay updated and vigilant beyond that.
What Are Pass-The-Cookie Attacks?
For better or worse, we’ve become used to cookies as an integral part of online life. Though you might be aware that selective cookie deletion can help to find better deals on flights and hotels, due to the way data is stored, when we start looking into the complexities and possibilities for cybercrime that cookies create, it becomes increasingly clear that attacks which rely on cookies can be used to compromise assets, steal data and reach deep into databases to access sensitive information.
In pass-the-cookie attacks, cyber criminals are able to use stolen ‘session’ cookies (also known as transient cookies) in order to authenticate themselves to web services, thus bypassing security measures like MFA because the session has, for all intents and purposes, been authenticated. It isn’t hard to see the logic behind this. After all, such cookies are essentially a measure of convenience, which stops credentials from being passed on and ends the need for regular re-authentification. As such, they tend to remain valid for some time.
Should these cookies fall into the wrong hands, however, they can be imported into a cybercriminal’s browser, allowing them to continue to access a site or app for as long as the cookie is activated. Cookie forging attacks of this kind provide plenty of time to move laterally through a site, gaining access to sensitive data and emails or enabling the criminal to perform actions as the victim’s account.
Despite being a relatively little-known term, pass-the-cookie attacks aren’t exactly a new approach. Indeed, according to information security experts, they’re actually a reasonably standard form of infiltration. Cybercriminals skilled at gaining access to session cookies will continue to use them as part of their arsenal alongside malware such as cookie miner and similar methods.
How to Counter Pass-The-Cookie Attacks
As in the case with any type of cybercrime, there are no fool-proof methods for avoiding attacks all the time. However, with the use of vulnerability management best practices, common sense and company security protocols which keep the ever-changing landscape of cybercrime in mind, there are ways of mitigating risk and keeping your data safe.
When it comes to pass-the-cookie attacks, there are several ways to increase your data security. However, it’s important to note that – once again – none can guarantee absolute protection, and none are without their own drawbacks. Despite this, any effort to outwit the cybercriminals is often enough to put off opportunists and increase your peace of mind.
Let’s have a look at four of the best ways of increasing your system’s safety.
1. Make Use of Client Certificates
It’s always a good idea to give users a persistent token which will then be securely stored on their system and which can be used for every subsequent server connection. Most administrators achieve this by making use of client certificates stored in their profile on the system.
This is generally regarded as one of the most secure options for combating pass-the-cookie attacks. However, logistically it presents a number of issues. Most pertinently, it can only be used for applications with a limited number of users – for example, for systems run by business partners who require access to internal online applications or a B2B system. As soon as you consider scaling this option, it isn’t difficult to see where the problems arise. As such, it wouldn’t be suitable for eCommerce sites, where potential audience numbers stretch to global proportions.
2. Use Dynamic Tokens
Dynamic tokens, which change at regular intervals in order to heighten security, are another potential option. By reducing the window of opportunity for a breach, they limit cybercriminal activities, as there generally isn’t time to leverage the token before it becomes invalid.
It is, of course, important to mention that limiting the opportune time for attack is not the same as mitigating an attack, and today’s cybercriminals tend to be precise, fast-acting and aware of how dynamic tokens affect their operations.
3. Require Further Identifying Criteria
Another option is to add further context besides the token in order to verify the identity of a request. Many companies, for example, use a source IP address of each request in this way.
Again, there are problems here. Proxies are commonly used by cybercriminals, which shields their identity. Should the cybercriminal attack from within the same public place or organization (for example, in a cafe or company building), then both the attacker and the victim will be using the same IP, thus both being identified as a legitimate user.
4. Browser Fingerprinting
Making use of browser fingerprinting has garnered no shortage of controversy. In much the same way as cookies do, fingerprinting allows for user tracking but without providing the user any option to refuse. As we know, cookies can be easily disabled or refused, yet fingerprinting removes this element of choice and is as such a less popular option.
Despite this, fingerprinting is still one of the most convenient methods for adding an element of identifying context to any request and ensuring the user is exactly who they claim to be.
Tackling Pass-the-Cookie Attacks and Increasing Data Security
There’s no doubt about the fact that pass-the-cookie attacks are on the rise or that cybercriminals continue to keep pace with efforts to thwart them. With the right approaches, an insistence on consistent security protocols and lateral (i.e. adversarial) thinking when it comes to safety and data privacy, there are solid solutions to protect data from this type of crime.
About the Author: Bernard Brode (@BernieBrode) is a product researcher at Microscopic Machines and remains eternally curious about where the intersection of AI, cybersecurity, and nanotechnology will eventually take us.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.