RC RANDOM CHAOS

License audit caught a six-week account takeover

A six-week account takeover surfaced in a license audit that never checked access legitimacy. Why that gap is a control failure, not a breach.

· 8 min read
License audit caught a six-week account takeover

An account operated under unauthorized control for six weeks. It was found during a license audit, work that was scoped as routine inventory and expected to return nothing more than a seat count and a spend reconciliation.

This is not a breach story. It is a control failure. A breach names the outcome. A control failure names the condition that let the outcome persist. The account takeover is the outcome. The reason it survived for six weeks sits one level below that, in the controls that were supposed to govern who holds access and whether that access is still legitimate.

Identity is the boundary. In this case the boundary was crossed and stayed crossed because nothing in the environment revalidated it. The takeover did not require a control to be defeated. It required a control to be absent from the one process that touched the account during those six weeks. A control that is not enforced is not a control. Across this window, access validation was not enforced, so functionally it did not exist.

How the account was taken over is not confirmed. Whether data was accessed is not confirmed. Whether more than one account was involved is not confirmed. What is confirmed is narrow and it is enough. Unauthorized control of an account. A duration of six weeks. A discovery that came from a license audit and not from any access control.

The assumption going in was that a license audit is administrative. You count entitlements, match them against what is being paid for, flag the seats that are unused or over-provisioned, and close the report. It is treated as a finance-adjacent exercise. It was not treated as a security control, and it was not scoped as one here.

What actually failed is visible in the output of that audit. The environment contained an account under unauthorized control, and the audit ran against that environment and returned a valid-looking inventory. The compromised account presented as a licensed, active seat. To an audit that measures entitlement, an account under someone else’s control and an account under its rightful owner’s control look identical. Both consume a license. Both appear in the seat count. The audit had no basis to tell them apart, because telling them apart was never part of what it measured.

The gap is a scoping gap, not a detection failure inside the audit. A license audit answers how many and how much. It does not answer who, and whether they should. Access legitimacy sat outside the boundary of the exercise. The takeover was therefore invisible to it, and invisible by design rather than by accident. The audit did exactly what a license audit does. That is the problem. The process that came closest to the compromised account was structurally incapable of seeing the compromise.

The takeover persisted for six weeks because no control in its path validated access. Attacker sophistication is not the explanation, and it is not confirmed. The explanation is structural. Over the full six weeks, up to the point the audit surfaced it, nothing checked whether the identity holding that access was the identity that should have held it.

This is the trust window. Access to that account existed and was treated as valid. Trust was established and then assumed to hold, with no control re-verifying it. Under that condition, the only thing separating a takeover from its discovery is a control that revalidates access. No such control ran. The window stayed open until an unrelated process reached the account. That process was a license audit, and it reached the account after six weeks.

The audit was blind for a specific reason. It validated license state. It did not validate access state. Those are two different questions asked of the same account. An account can be correctly licensed and incorrectly controlled at the same time, and this one was. The audit confirmed the first condition and had no mechanism to test the second. A control that does not validate access cannot stop an account takeover. This one did not, and calling it an audit does not change what it failed to check. Whether the account has since been contained is not confirmed.

The mechanism of failure is a trust grant with no expiry. Access to the account was established and treated as valid for the full six weeks, and the state of that access was never re-tested by any control in its path. Under that condition, unauthorized control is not an event that has to survive resistance. It is the default state that holds until something tests it. The failure is the absence of a revalidation control, not the presence of an attacker capability. Attacker capability is not confirmed and is not required to explain the outcome. Absence of validation is sufficient on its own.

The distinction that matters is between what a control measures and what a control enforces. The license audit measured entitlement. Entitlement and legitimacy are independent attributes of the same account. A control that measures one does not enforce the other. Because no control tested legitimacy, legitimacy went untested for six weeks. The account presented as valid to the audit that measured it, and that presentation is consistent with both legitimate and illegitimate control. A signal that cannot separate the two is not a detection signal. The audit received exactly the signal it was built to read, and that signal carried no information about who held the account.

The six-week duration is a measurement of the revalidation interval, not of attacker patience. The window closed when a process finally reached the account, and that process was a license audit that reached it by scope coincidence. Nothing in the design closed it. Whether the window would have closed at all without the audit is not confirmed. What is confirmed is that no access control closed it. The duration is therefore a property of the environment, not a property of the takeover. Six weeks is how long this environment can hold unauthorized control of an account before an unrelated process happens to touch it.

The pattern derived from that mechanism is direct. Any process scoped to measure one attribute of an account will report that account as valid regardless of whether a different attribute has been compromised. Scope defines blindness. A process is blind to every condition it does not test, and being adjacent to the account does not change that. Proximity is not coverage. The license audit was the process that came closest to the compromise and was structurally incapable of registering it, because closeness and capability are not the same property.

The same mechanism appears wherever a check that counts existence is treated as a check that confirms legitimacy. An inventory confirms that a thing is present and accounted for. It does not confirm that the thing is under the control it should be under. When an organization treats an inventory-class control as if it were an access-validation control, it inherits a blind spot the exact size of the difference between those two questions. The compromise does not have to hide inside that difference. It only has to fall in the gap between what was measured and what was assumed to be measured. Here it did, and it stayed there for six weeks.

This exposes a false-coverage condition. A completed audit produces a report, and a report reads as assurance. Assurance over the wrong attribute is worse than no assurance, because it closes the question that should have stayed open. The one process confirmed to have reached the account returned a valid inventory. Valid was accurate for the attribute measured and false for the attribute that mattered. The pattern is that unmeasured attributes do not surface as gaps. They surface as clean results. A clean result on the wrong question is indistinguishable, on paper, from safety.

What must now be true is that access legitimacy is validated as its own control, on its own interval, independent of any license or inventory process. A control that does not test who holds access cannot be counted as access control regardless of what it is named. The license audit is not a security control and must not be recorded as one. Recording it as one reproduces the exact assumption that kept the account open. The requirement is not a better audit. It is a separate control that asks who and whether they should, and that runs whether or not any inventory ever runs.

Identity is the boundary. A boundary checked once and assumed to hold is open for the entire interval between checks. In this environment that interval was six weeks, because that is how long unauthorized control held before the audit surfaced it. Continuous validation is the only condition under which the trust window has a defined maximum. Without it the window has no ceiling, and its length is whatever the next unrelated process happens to be. That is not a control posture. That is a coincidence being counted as one.

The open unknowns are the current exposure and must be treated as active. How the account was taken over is not confirmed. Whether data was accessed is not confirmed. Whether more than one account was involved is not confirmed. Whether the account is now contained is not confirmed. Each is an open condition, not a resolved one, and each stands until a control confirms otherwise. The finding is not that one account was compromised. The finding is that the environment held no control capable of detecting the compromise of an account, and that condition is true for every account it holds until a validation control proves otherwise. If a system allows it, it will happen. This system allowed it for six weeks.

See also: NordVPN for tunneled traffic when operating outside controlled networks.


#ad Contains an affiliate link.

Share

Keep Reading

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.