6.4.1. Provisioning, Deprovisioning, and Access Reviews
💡 First Principle: Credential attacks exploit the weakest link in authentication: the human-chosen secret. Despite decades of evidence that humans choose predictable passwords, most authentication systems still rely on them as the primary factor. Understanding how credential attacks work directly motivates the adoption of MFA, passwordless authentication, and behavioral detection.
Credential attack taxonomy:
| Attack | Method | Requirement | Detection | Defense |
|---|---|---|---|---|
| Brute force | Try all character combinations | Time (exponential) | High-volume failed attempts | Account lockout; MFA |
| Dictionary attack | Try wordlists of common passwords | Password list | Failed attempts | Strong password policy; MFA |
| Password spraying | Try a few common passwords against many accounts | Username list | Distributed, low-volume failed attempts | Behavioral analytics; impossible travel detection |
| Credential stuffing | Use breached username/password pairs from other sites | Breach database | Unusual login patterns; geo anomalies | MFA; breach monitoring (HaveIBeenPwned); unique password enforcement |
| Phishing | Trick user into entering credentials on fake site | User error | Email gateway; user reporting | MFA (ideally phishing-resistant); security awareness; DMARC |
| Man-in-the-browser | Malware intercepts credentials as user types | Endpoint compromise | EDR; behavioral | Endpoint security; FIDO2 |
| SIM swapping | Social engineer telecom to reassign phone number | Social engineering skill | Account takeover from new device | Avoid SMS MFA; use TOTP or FIDO2 |
| Golden Ticket (Kerberos) | Forge TGT using KRBTGT hash | Domain Admin compromise first | Anomalous TGT characteristics | Protect DCs; rotate KRBTGT; Privileged Access Workstations |
| Pass-the-Hash | Use NTLM hash directly without cracking password | Hash extraction from memory | Credential access alerts; lateral movement detection | Credential Guard; disable NTLM; PAM |
Zero Trust response to credential compromise: Even with a stolen credential, Zero Trust controls limit damage: device posture check (is this a managed device?), location check (is this a known location for this user?), risk-based authentication (unusual activity → step-up authentication). The credential alone is insufficient — the attacker must also pass the contextual controls.
⚠️ Exam Trap: Account lockout is a DoS vector. An attacker who knows valid usernames can lock out accounts by repeatedly entering wrong passwords, denying legitimate users access. This is why lockout policies must be balanced with account unlock self-service and monitoring. CAPTCHA and progressive delays (exponential backoff) are alternatives that slow attackers without enabling lockout-based DoS against legitimate users.
Reflection Question: An attacker uses credential stuffing to authenticate to a company's VPN using credentials stolen from a different breach. The company uses single-factor authentication. Once on the VPN, the attacker accesses the internal network for three weeks before detection. Describe a layered IAM architecture that would have detected or prevented this breach at each stage: initial authentication, post-authentication anomaly detection, and lateral movement limitation.
