Beyond the Checkmark: IAL3 as a Critical Blocker for Sophisticated Attacks
Many companies, while pursuing higher security for their infrastructure, seek Identity Assurance Level 3 (IAL3) as the next level in protection. A common mistake is thinking it is merely a compliance checkmark with minimal value. In multiple case studies by Trust Swiftly, we have seen where IAL3 would have been a critical blocker to various attack scenarios.
From nation-states to sophisticated hired hackers, these actors would have been caught early with a more robust identity verification process. The costs of allowing these threats into a system can amount to tens of millions of dollars, becoming unquantifiable when they result in stolen intellectual property or create future attack vectors. The key to understanding is that IAL3 will become a more common defense throughout organizations as traditional defenses continue to be exploited.
When Traditional Controls Fail, a New Patrol is Needed
Traditional controls are never meant to last forever; eventually, they are breached, allowing for an insider. Since living on a previous Naval base with a minimal perimeter, it is easy to see that the walls were never the sole protector. Instead, the people inside were critical in patrolling the overall health of the base. IAL3 is another way to patrol the identity aspect of your organization because it can be deployed anytime and anywhere.
Threat actors are often unaware of the techniques in IAL3 processes, which can provide plenty of reverse exploitation opportunities. A threat actor might be inside your system, but when they encounter the task of completing an IAL3 verification, it becomes a new challenge they likely cannot solve in real-time. While threat actors are skilled at surveillance and playbook operations, they often fail under the duress of time-sensitive, unprepared reactions.
For example, if you breached a base and were wandering around to discover important information, you would be foiled if you were stopped for a thorough identity verification check. The patrol should not always raise the full base alarm, as that could prevent them from discovering more insiders. The threat actor also has no idea if they have been allowed free rein in some cases to be led astray or fed false information.
Real-Life Case Studies: Where IAL3 Would Have Prevented Catastrophe
We will walk through real-life case studies where IAL3 would have better protected companies and governments.
Case Study 1: Unmasking Nation-State Proxies in the Procurement Process
The first interesting case is with hiring nation-state proxy software vendors. Validating employees and government associations is critical when deploying new technology. It is common practice for nation-states to obscure associations to get backdoors into other countries by acting as non-state-sponsored vendors.
We discovered one such association through an identity verification company providing Russian government contracts. At first glance, there was no public association with Russia; however, an intense identity verification uncovered an entire trove of intelligence about their operation. While background checks on employees, contractors, and founders should have discovered this, these bad actor companies can have their employees easily change their location and association. LinkedIn profiles, IDs, and background checks are easy to fake. We have seen another identity verification company that once had many foreign developers but vanished on LinkedIn once relations went south suddenly to appear as completely American.
IAL3 would have allowed for a more thorough review of each employee and their valid country of origin. Instead, this identity verification company procured contracts with the US government through the DHS. A simple lapse in review opened the door for unknown exploitations. Even worse, this company had associations and development work with the GRU, the Russian intelligence service. The contract was eventually canceled, but the damage was likely already done.
Case Study 2: Exposing Investor Fraud and Hidden Political Ties
The following case involves China, a country that has long deployed tactics to surveil companies through complex fronts. In this case, a public company was used for investor fraud. The technology was offered as 5G research, but the founder and associates had key connections with politicians who were part of the Chinese Communist Party.
A quick identity check would never discover these associations. This company was masquerading as an American company, but behind closed doors, the owners' political involvement would have made most investors run. The key to discovering the fraud was through in-person verification, which identified multiple inconsistencies with the actual operation location.
IAL3, in this case, would have exposed the sham much earlier by verifying the true identities and locations of the principals, saving hundreds of millions in investor losses. Instead, the company operated for over 4 years before being delisted by NASDAQ.
Case Study 3: Stopping Corporate Espionage Fueled by an Insider Threat
The last case of IAL3 details its importance through enterprise espionage. Here, a competitor went to extreme lengths to attack their competition, seeking customer lists and proprietary technology.
The exploit was heavily aided by an insider whom the exposed company mistakenly hired. Their initial background checks failed to detect the insider threat that could steal trade secrets. Only through Varonis security detection were they first alerted to a potential compromise. This insider provided the access needed for persistent exploitation and worked with a non-government commercial hacking organization to exfiltrate the data. They used the cover of hiring the organization as blue teaming defender exercises to allow for behind the scenes offensive operations that aided in the compromising attack.
Here, IAL3 could have been an early preventative measure during the hiring process, detecting the false information and hidden connections. An extra layer of verification for any employee is the difference between a complete system hack and keeping your organization secure. The exploited organization could have also identified the threat earlier in the relationship process if it had thoroughly reviewed the employees who had nation-state relations in the Middle East.
The ROI of Identity: A Small Cost to Prevent a Massive Exploit
In review, these three cases have benefited the attackers by more than billions in economic value. Insider threats are extremely cheap exploits to deploy with a tremendous payoff. This is why the minuscule cost of an IAL3 verification results in an ROI almost immediately.
Head-to-head, it is much simpler to apply verification levels such as IAL3 to protect a company. As organizations become larger, it is more challenging to track the identities of each person. Small companies have the same risk, as they can mistakenly hire a nation-state actor. Identity verification must move from working behind the scenes to being fully visible and present.
Finally, IAL3 cannot simply be a once-and-done process; it requires constant tuning and modification to prune all bad actors continually.