WTF is Evil Proxy?

It sounds like something from a modern Sci-Fi Horror movie. But from a functional perspective, Evil Proxy is nothing new. If you’ve ever studied the details of a Man-in-the-middle attack, you already know how Evil Proxy works. It’s a tool that facilitates network hijacking, allowing a malicious actor to steal information sent or received through a network connection. 

While the technique isn’t new, Evil Proxy itself is. We’ve reached a point in history where it’s common for hacker tools to be bought and sold on a subscription basis—just like practitioner tools. For $500/month, a bad actor can get their own cloud-hosted and anonymous Evil Proxy server. Now that anyone can use Generative AI to craft incredibly convincing phishing emails, it’s one of the few tools that can render MFA and user training useless.

Why is it so Effective?

Imagine you’re a busy employee—something we can all relate to. You get a notification from AWS about a service they’re deprecating, which is a common notification for any cloud service. The email contains a link to access the AWS console so you can see how this affects your work.

Since the email looks exactly like other emails you often get from AWS, whom you generally trust, you don’t think twice about it being a phishing email, so you click. After an invisible redirect, you land on the real AWS login page. You put in your username, password, and MFA token, and you reach the page you were looking for—a real notice about a service deprecation. 

Little do you know that your connection has just been taken over by an Evil Proxy. With no sign of suspicion, you’ve just given up your authentication token, and a hacker is now using it to impersonate you. They set up their own MFA token for long-term access and begin rooting around in all the systems and workloads you have access to. Game over.

Your biggest advantage is Data.

If it’s so easy for Malicious actors to break through your email filter and crack MFA, what chance do you have of catching an attack in progress? The one thing that you’ll always have that bad actors don’t is behavior data.

Your one true advantage comes with leveraging the logs generously provided by your SSO and cloud solutions to find indications of an attack in progress. An IdP (like Okta, Entra ID, Ping, etc.) allows you to put controls in place, but it is not designed to enable you to operationalize that same data they provide. 

Identity Threat Detection & Response

You can cover a lot of ground on the road to securing your identity perimeter by implementing identity threat detection & response (ITDR) practices. Detection & Response may make you think of expensive SOC teams running a custom operation 24x7. But in the modern world of identity security, automated solutions exist to help your existing team scale without the need to add a SIEM, build a SOC, or hire an MSSP.

ITDRs offer purpose-built and scalable solutions that include:

• Real-Time Detections: Detection algorithms in IdPs can give you detections with up to 8-hour delays. Purpose-built ITDR solutions offer real-time detections that will never be delayed more than milliseconds.

• Investigation Automation: IdPs will tell you that you need to pick up every detection and contact a user to find out if the ‘risky’ action that was just detected was done by the user. Behavioral detections can come with high false positives. So, purpose-built ITDR solutions give you automated investigation options that leverage alternate data sources and automatic user communications that sit out of band from MFA. Remember, more MFA when MFA has been cracked won’t help.

• User-Specific Detections: While other solutions look at risky behavior patterns, they are atomic, point-in-time detections. They don’t leverage historical context from the user record where they were detected. Doing so significantly reduces false positives.

If you’ve ever shut your detections off (or ignored them) because they gave you too many false positives, or gave up on investigating them because contacting every employee is not an option, you’ll immediately see how an ITDR solution can help. 

Despite the hackers’ best attempts to render our protections useless, there’s one thing we always have on them: Log Data. With that data comes tremendous power, as long as it can be used at scale. And that’s what an ITDR is designed to do.