Staying Ahead of Threat Actors with Amazon Cognito Featuring Dynata Iam302

Title: AWS re:Inforce 2024 - Staying ahead of threat actors with Amazon Cognito, featuring Dynata (IAM302)

Insights:

  • Expansion of Online Business and Risks: The session highlights the rapid expansion of online business, which has increased the threat surface and risks, particularly account takeover attacks. The 2023 internet crime report shows a significant rise in scams and account takeover incidents.
  • Identity-Centric Security Approach: Emphasizes the importance of an identity-centric approach to security, where stopping fraud at the identity layer can prevent many downstream frauds. This includes using adaptive risk-based authentication and monitoring user behavior.
  • Layered Security Approach: Advocates for a layered security approach with multiple security controls at different stages of identity traffic. This includes network protection with AWS WAF, threat detection with Amazon Cognito's advanced security features, and custom business logic validations using Lambda triggers.
  • Amazon Cognito Features: Amazon Cognito offers out-of-the-box security features such as verifying user accounts, risk-based authentication, and detecting compromised credentials. It also integrates with AWS WAF for additional protection against volumetric attacks.
  • Dynata's Implementation: Dynata, a market research company, successfully integrated Amazon Cognito to manage user authentication across 200+ websites with 70+ million users. They used a combination of WAF, Lambda extensions, and advanced security features to reduce password stuffing attempts and improve user security.
  • Best Practices and Lessons Learned: Dynata shared best practices such as using SRP offload, making attributes read-only, and protecting against password stuffing. They also highlighted some limitations and challenges faced during implementation, such as the need for custom takeover notifications and configuring messaging settings.
  • Monitoring and Detection: Emphasizes the importance of monitoring identity traffic and baselining it using CloudWatch and CloudTrail. Setting up alarms and analyzing logs can help detect and respond to threats quickly.
  • Actionable Recommendations: The session concludes with actionable recommendations, including activating firewalls, preparing dashboards, evaluating advanced security features, implementing CAPTCHA, and conducting regular penetration testing and incident response drills.

Quotes:

  • "Online business is expanding like never before... with expanding the online business, this also expands your threat surface and it brings more risks to your application."
  • "Identity is becoming the new security boundaries of these online businesses. Users come, sign up, sign in, and you can stop so many fraud at identity layer then you can imagine."
  • "Amazon Cognito is a managed customer identity and access management service... it comes backed with out-of-the-box security features available to your application."
  • "We went from having three different auth services we were trying to balance, three different tokens, all these different things going on at once, and we were able to bring it down to a single authentication service."
  • "We've gone from 96 million password stuffing attempts on a given day down to about 1,000. Threat actors are not as interested when it's difficult to do what they're trying to do."
  • "Implementing simple things like CAPTCHA on your public endpoints is helpful. It's not bulletproof, but it helps."
  • "Run penetration testing and examine your incident response runbook at least once a year. It's better if you do this quarterly but this will allow you to stay ahead of threats and being ready when you detect any threat pattern to start acting immediately."
Last updated on