To prevent cookie theft, have cyber defense baked in. With progressive web apps (PWA) and other relatively new protective efforts in place, how can you be sure you’re defending against today’s attackers? Here’s what enterprise needs to know about the rumbling threat of pass-the-cookie attacks, how current cloud and mobile frameworks like PWAs can empower these attacks, and what security teams can do to help reduce total risk.
Beyond Multifactor Authentication
MFA solutions are now table stakes for companies looking to secure in-office and at-home networks at the same time. By pairing multifactor authentication (MFA) with intelligent identity and access management (IAM) tools, companies can request more verification from users as needed to ensure their identity. This is critical in a world underpinned by robust remote work. Enterprises need to ensure that users accessing critical services are exactly who they say they are, every single time.
But threat actors aren’t about to be deterred by MFA. Instead, they’ve developed ways to bypass it using ‘pass-the-cookie’ attacks, using progressive web apps (PWAs) to mimic real users. These allow them to gain network access without the need for MFA verification. The risk of not having MFA is still real, but we also need to think a step beyond it.
What Security Risks Are Associated With Cookies?
Cookies remain a critical component of online life. And while companies are now obliged to be more transparent about cookie collection and consumption, another problem remains. If attackers can get their hands on post-MFA cookies, they may be able to bypass further attempts and gain full access to enterprise networks. This is the crux of cookie hijacking, also known as session hijacking.
In practice, cookie hijacking relies on the stateless nature of HTTP. This means it naturally separates each operational request — such as users looking for access to a corporate network, bank account or e-commerce account — into separate processes. As a result, web-based apps can’t ‘remember’ users. Using only HTTP would be extremely frustrating, with login and password details required for every task.
Sessions help solve this problem by providing a cohesive marker that covers a series of interactions between two devices. When the session ends, its relevant details are deleted to help ensure other users can’t gain access. The problem? If attackers are able to hijack sessions while they’re running, they may able to steal key session details — or cookies — that can then be used to disguise themselves as authorized users and carry out specific actions.
MFA and Beyond
MFA, meanwhile, provides a way to verify users before a session begins. Consider a corporate user logging into their privileged business account. Robust MFA tools may require them to provide one-time text codes or biometric data along with login and password details to prove who they are and grant access to high-level IT services or tasks. What MFA can’t prevent, however, is session hijacking. If attackers are able to eavesdrop on user sessions and obtain cookie data, they can use that to open a new browser session that’s already verified, in turn bypassing any MFA checkpoints.
This is becoming a bigger problem as more companies leverage MFA solutions as sure-fire gatekeepers for user access. If hijacking happens behind the scenes, compromised cookies may go unnoticed because session IDs show users as verified, in turn giving attackers more time to exploit network operations.
But does this have to be the way the cookie crumbles?
Living off the Land
To starve attackers of potential cookie paydays, it’s critical for companies to see the common risk factors that come with session stealing. That’s because these threats exist as part of the broader classification of living off the land (LotL) attacks — compromise vectors that leverage trusted infrastructure and services to infiltrate corporate networks. These LotL efforts are paradoxical. As enterprises get better at detecting and defeating common attack vectors, attackers turn to mission-critical processes to work their way behind corporate lines and establish persistent operations.
The most well-known LotL attacks take the form of fileless malware that use popular tools, such as PowerShell to infiltrate enterprise systems without being detected and gain unfettered network access. Cookies comprise another type of LotL attack that is less common but no less damaging. By hijacking session information and repurposing it in a new browser session, malicious actors can bypass some of the strongest defensive measures currently available to enterprise.
Even worse? Because MFA is often seen as the gold standard of user-based defense, supposedly validated users leveraging stolen cookies aren’t seen as potential threats until they start taking big bites out of IT operations — and leaving a trail of crumbs in their wake.
Unpacking New Cookie Concerns
Although any HTTP session has the potential to create cookie compromise, several factors have conspired to increase this risk at scale.
First up? The rapid rise of remote work, which has in turn prompted massive adoption of cloud-based and mobile services. Those rely on cookies to help streamline identity operations and reduce functional friction.
IT teams focus on managing the sudden shift away from in-office efforts to home-based networks and preparing for the hybrid future of enterprise staffing. Meanwhile, attackers gain a dual advantage. There are more cookies to go around and fewer people watching the jar. This is becoming more of a problem as personal devices become the de facto standard for privileged access both at home and in the office. It creates an issue for many companies that offer limited resources for monitoring and control.