TLCTC Control Matrices: #4 Identity Theft

Context & Definitions

In the TLCTC framework, #4 Identity Theft is strictly defined as the use of stolen credentials to impersonate a legitimate identity. The acquisition of these credentials often happens via other clusters (e.g., #9 Phishing, #7 Keylogger, #2 SQL Injection).

Therefore, the controls below focus on preventing the use of the credential, detecting its misuse, or limiting the impact of its compromise.

Type A: Knowledge-Based & Legacy OTP (Phishable Credentials)

Scope: Passwords, PINs, Recovery Codes, SMS OTPs, Email Magic Links, Software TOTP (Authenticator Apps).

Primary Vulnerabilities

Reliance on "Shared Secrets" that can be Phished (#9), Intercepted (#5), or Stolen (#7).
Even dynamic codes (OTP) are vulnerable to real-time phishing.

Typical Preceding Attack Paths

                    graph LR
                        A[#9 Phishing] -->|Tricked User| B[#4 Identity Theft]
                        C[#9 Phishing] -->|Proxy Site| D[#5 MitM] -->|Intercept OTP| B
                        E[#9 Phishing Telco] -->|SIM Swap| B
                        F[#7 Malware] -->|Keylogger| B
                        G[#4 Password Known] -->|MFA Fatigue| H[#1 Abuse of Function] -->|Fatigue| B
                        style B fill:#f9f9f9,stroke:#333,stroke-width:2px

CWE & MITRE Alignment

CWE

CWE-521: Weak Password Requirements
CWE-307: Excessive Auth Attempts
CWE-256: Unprotected Storage of Credentials

MITRE ATT&CK

T1078: Valid Accounts (#4 Definition)
T1110: Brute Force
T1621: MFA Request Generation

Control Matrix: Type A

Layer	IDENTIFY	PROTECT	DETECT	RESPOND	RECOVER
Local Controls (Asset/App Level)	• Inventory of local admin accounts.	• Scan for default passwords in configs. • Identify users with SMS fallback enabled. • Disallow credential caching. • Enforce "Number Matching". • Disable SMS for Admin Accounts.	• Account Lockout Policies (velocity checks). • Log failed login attempts (Event ID analysis).	• Force session termination. • Application-level account suspension.	• Verify integrity of data accessed during the window of compromise.
Umbrella Controls (Org/IAM Level)	• Threat Intel: Dark Web Monitoring for leaked credential pairs.	• Threat Intel: Monitoring Stealer Logs. • Enterprise Directory auditing. • Migration to FIDO2/Passkeys. • MFA Rate Limiting. • Conditional Access Policies.	• MFA Fatigue Detection (>3 denied pushes). • AiTM Detection (Impossible travel between Password & OTP). • SIEM correlation: #9 + #4. • Alert on login at unusual times/locations. • SIM Swap Check.	• Global Password Reset / Account Disable. • Block User at IdP Level. • Isolate user device via EDR.	• Identity Proofing process (Video/Gov ID) for recovery. • Post-incident rotation.

Type B: Delegated & Federated (OAuth2 / OIDC)

Scope: Access Tokens, Refresh Tokens, OIDC ID Tokens.

Context: The IdP (Identity Provider) is often the system being abused to mint tokens.

Typical Preceding Attack Paths

                    graph LR
                        A[#9 Phishing] -->|Fake Consent| B[#4 Identity Theft]
                        C[#7 Malware] -->|Token Theft| B
                        D[#4 Type A] -->|MFA Bombing| E[#1 Abuse] -->|Mint Token| B
                        F[#9 Phishing] -->|AiTM Proxy| G[#5 MitM] -->|Steal Token| B
                        style B fill:#f9f9f9,stroke:#333,stroke-width:2px

CWE & MITRE Alignment

CWE-613: Insufficient Session Expiration.
CWE-287: Improper Authentication (Delegation failures).
CWE-347: Improper Verification of Cryptographic Signature (JWT).
MITRE T1550.001: Use Alternate Authentication Material.

Control Matrix: Type B

Layer	IDENTIFY	PROTECT	DETECT	RESPOND	RECOVER
Local Controls	• Review connected apps/extensions.	• Audit unused OAuth grants. • Short-lived Access Tokens. • Validate 'aud' and 'iss' strictly. • Use PKCE. • Token Binding (DPoP / MTLS).	• Detect concurrent use of same token from different IPs. • Validate token signature on every request.	• Reject specific token IDs (JTI blacklist).	• Rotate client secrets for the application.
Umbrella Controls	• Threat Intel: Monitor for malicious OAuth apps. • CASB discovery. • Inventory of IdP trusts.	• Risk-Based Auth (Step-up). • MFA Cooling Period. • Restrict consent to high-impact scopes.	• Anomalous Token Activity ("Pass-the-Token"). • Authentication Velocity monitoring.	• Revoke App Permissions. • Revoke Refresh Tokens globally.	• Re-authorize critical apps.

Type C: Possession/Cryptographic (PKI / Smartcard / FIDO)

Scope: X.509 Certificates, Smartcards, YubiKeys, TPM-backed certs, FIDO2/WebAuthn.

Typical Preceding Attack Paths

                    graph LR
                        A[#8 Physical Attack] -->|Theft of Device| B[#4 Identity Theft]
                        C[#7 Malware] -->|Piggybacking Driver| B
                        D[#10 Supply Chain] -->|Compromised CA| B
                        style B fill:#f9f9f9,stroke:#333,stroke-width:2px

Control Matrix: Type C

Layer	IDENTIFY	PROTECT	DETECT	RESPOND	RECOVER
Local Controls	• Map certificates to specific user accounts.	• Audit expiration dates. • PIN/Biometric protection for key usage. • Certificate Pinning. • Auto-lock on card removal.	• Alert on certificate usage from unauthorized endpoints. • Detect multiple failures of PIN entry.	• Block specific certificate serial numbers (Local blacklist).	• Re-establish local trust stores.
Umbrella Controls	• Threat Intel: Monitor Underground Markets. • Inventory of issued physical tokens.	• PKI Infrastructure management. • CRL/OCSP checks (Strict). • HSM for high-value keys. • Short-lived certificates.	• Alert on certificate issuance anomalies. • Detect impossible travel between card usage locations.	• Revoke Certificate (Publish to CRL). • Suspend user account linked to the cert.	• Physical re-issuance of Smartcard/Token. • Key ceremony for high-level assets.

Type D: Session Artifacts (Post-Auth)

Scope: Session Cookies (e.g., PHPSESSID, JSESSIONID), JWTs in LocalStorage.

Context: "Session Hijacking" is a specific #4 sub-threat.

Typical Preceding Attack Paths

                    graph LR
                        A[#3 Client Exploit] -->|XSS Steals Cookie| B[#4 Identity Theft]
                        C[#5 MitM] -->|Intercept Cookie| B
                        D[#7 Malware] -->|Stealer Log Exfiltration| B
                        E[#1 Abuse] -->|Session Fixation| F[#9 Social Eng] --> B
                        style B fill:#f9f9f9,stroke:#333,stroke-width:2px

Control Matrix: Type D

Layer	IDENTIFY	PROTECT	DETECT	RESPOND	RECOVER
Local Controls	• Session ID entropy analysis.	• Audit session storage. • Secure Flags: HttpOnly, Secure, SameSite. • Session Rotation after login. • Idle Timeouts.	• User-Agent/IP Mismatch detection. • Concurrent login detection.	• "Log out all other sessions" functionality. • Invalidate specific Session ID.	• Force re-authentication.
Umbrella Controls	• Threat Intel: Automated scanning of Stealer Log markets.	• Centralized session logging. • TLS 1.3 (Prevents #5). • WAF (cookie tampering).	• Anomaly detection on session duration. • Detect replay of expired tokens.	• Global session revocation for the user ID.	• Forensic analysis of actions taken during hijacked session.

Type E: Machine Identities (Non-Human)

Scope: API Keys, Service Accounts, SSH Keys, AWS Access Keys.

Primary Vulnerability: Static nature, lack of MFA, hardcoding.

Typical Preceding Attack Paths

                     graph LR
                         A[#1 Repo Access] -->|Hardcoded Key| B[#4 Identity Theft]
                         C[#10 Supply Chain] -->|Dev Leak| B
                         D[#2 Server Exploit] -->|RCE/Env Vars| B
                         E[#7 Endpoint Comp] -->|Steal SSH Key| B
                         style B fill:#f9f9f9,stroke:#333,stroke-width:2px

Control Matrix: Type E

Layer	IDENTIFY	PROTECT	DETECT	RESPOND	RECOVER
Local Controls	• Scan code repositories for hardcoded secrets (Pre-commit).	• Inventory of service accounts. • IP Allow Lists for API keys. • Least Privilege scoping. • No interactive login rights.	• Alert on API key usage from new IP/UA. • Volume spikes (potential #6).	• Disable API Key immediately.	• Redeploy application with new secrets. • Check for persistence mechanisms.
Umbrella Controls	• Threat Intel: Public GitHub scanning for org secrets.	• Secrets Management Vault. • CMDB alignment. • Automated Rotation. • Workload Identity Federation.	• Monitoring for usage outside maintenance windows. • Honeytokens.	• Revoke Service Principal. • Trigger automated key rollover.	• Root cause analysis: How did the key leak?