With the rise of phishing-resistant tools like passkeys, securing accounts with Multi-Factor Authentication (MFA) is more effective than ever. However, cybercriminals are targeting the weakest link – people – to bypass these strong defenses.
With this in mind, we must shift how we approach identity security to better protect IT help desk teams and enable them to verify users securely.
IT Help Desk Teams are Becoming a Top Attack Vector
IT help desk teams have emerged as a popular target for attackers, which was showcased most recently in the MGM breach. In this case, it took 10 minutes for an attacker to convince a help desk technician to reset a target's account, granting them unauthorized access.
Unfortunately, the MGM incident is far from isolated, and we can expect such attacks to continue. Let’s not forget the LAPSUS$ attacks from last year, which similarly used social engineering to target customer support call centers and help desks.
The importance of addressing these weaknesses is underscored by Gartner, which identifies "account recovery due to forgotten passwords or lost credentials" as the highest-risk event in the identity management life cycle.
Not only does this pose a substantial security risk, but it also carries a hefty price tag. Forrester estimates that each password reset costs an organization a staggering $70. These costs add up rapidly and can significantly impact a company's bottom line.
Securing the User Verification Process
Mature organizations are now looking at ways to involve their IT help desk teams in their broader identity security program. This often starts with a clear outline of responsibilities, such as in a RACI matrix (if you’d like to read more about this process, check out our Blueprint for Building an Identity Security Program).
The key lies in enhancing user verification processes.
- Empower Helpdesk Personnel with Identity Data: Provide help desk personnel with the context and information they need to verify the identity of individuals calling in to reset credentials.
- Challenge the User: Implement challenge questions, require managerial approval, or send one-off push notifications.
- Track Reset Activities: Analyze known accessed applications and monitor activities following a reset. Track the history of reset factors and the use of bypass codes to detect suspicious reset behavior.
Achieving these objectives hinges on providing IT help desk teams with better access to identity data, enabling them to make informed decisions and reduce security weaknesses in the reset process.
Use Identity Threat Detections as a Failsafe
Even with robust user verification processes in place, there's always a chance that malicious activity can slip through the cracks. This is where identity threat detection comes into play. By continuously monitoring and analyzing system activity, you can swiftly respond to potential threats.
Keep a close eye on admin and factor anomalies, such as administrators taking unusual actions or users accessing their accounts from atypical devices or locations. There are plenty of resources available online for creating SIEM detections for these types of anomalies. Check out https://sec.okta.com/shareddetections.
Oort’s Capabilities Enable IT Help Desk Teams
Over the past few months, we have worked with our customers to develop capabilities supporting the IT help desk team.
When an employee calls the help desk, they use Oort to help verify the caller's identity by asking questions about their profile. Oort’s User 360 profiles contain rich context on the activities of a user, as well as their static entitlement data. For example, they can immediately access all attempted logins, registered MFA factors, associated devices, typical locations, and much much more. Help desk teams will use this information to craft questions that only that user can answer.
They can initiate an MFA Push directly from the actions menu to go one step further. This button lets support teams send a one-off push notification to the user’s phone. The response will be recorded within the Activity tab of the user profile.
If the request looks legitimate, the agent may then proceed and reset MFA factors. This can be done across all identity providers, saving precious time logging in to multiple platforms.
In addition to these preventative controls, Oort offers a wide range of reactive detections. This includes detecting:
- Password and factor resets
- Attempted logins from a new device
- Impossible travel
- Logins from administrator accounts
You can read more about Oort’s identity threat detection checks here: https://docs.oort.io/oort-insights/identity-threat-detection-insights
Summary: Empower Your IT Help Desk Teams
We know that any effective identity security program must combine Identity Security Posture Management and Identity Threat Detection and Response capabilities. Now, in light of recent attacks, we need to ensure that the IT help desk persona is involved and enabled.
Contact us today to learn how we can help you protect what matters most. We can provide you with advice on the most effective SIEM detections.
Oort is now part of Cisco, enabling us to further extend our user protection by aligning with Cisco Duo and Cisco Secure Access. If you want to learn more about how Oort can help IT help desk teams, you can request a demo today.