Yes, identity security is the foundation!
The slightest mistake can offer cybercriminals a pathway inside, even when the doors to your data seem well guarded. The focus is not only keeping hackers out but assuming that they will attack and will eventually make it inside the walls of the fort. It is a hard truth that many companies have had to learn.
In security, we often talk about the importance of a layered defense. But that chain is still only as strong as its weakest link -which is typically people. A quick examination of the news makes it clear that social engineering and compromised credentials remain at the center of many successful attacks against enterprises. Protecting identities and access, particularly in the age of cloud computing and distributed workforces, is as vital as ever. Multifactor authentication (MFA) is often heralded as a defense against unauthorized access, and rightly so. Still, recent breaches have shown that a bit of social engineering can be its undoing.
Imagine the scenario: an account is protected by MFA. Each time an employee authenticates, the person is sent an MFA login approval request. A hacker, armed with that user’s credentials, keeps attempting to log in. As a result, the victim is continually bombarded with MFA approval requests. Perhaps out of a mixture of annoyance or confusion, the user clicks approve. Just like that, the threat actor is in.
The moral of this story is not that MFA is ineffective at reducing risk—it is that defending against today’s attacks requires a comprehensive approach to securing identities.
Push notification attacks
Despite MFA providing an extra hurdle, threat actors are still able to circumvent it through push notification attacks. These threats are also called MFA prompt bombing or fatigue attacks. In these incidents, a threat actor uses a script to attempt to log in to an account over and over. As a result, the victim is essentially spammed with MFA notifications that the attacker hopes will eventually get approved.
These threats can be mitigated by taking different approaches to MFA that add friction to the approval process. For example, having a user enter a passphrase adds a level of security by being less guessable than a password. Succumbing to MFA fatigue is no longer simply clicking a button. Instead, the passphrase would have to be entered. Likewise, techniques such as biometrics or a challenge where the user must enter a number provided in the MFA notification into an app to complete the process add an extra step that could prevent an individual from causing a breach.
Other defensive measures can reduce the risk of these attacks as well. In some scenarios, multiple login attempts were detected, determined to be suspicious due to the volume being sent during a short timeframe, and blocked automatically. Adaptive Access Solutions exist that provide these capabilities. What if an attempt to download or exfiltrate data is uncovered and blocked due to integration between a SIEM solution and data loss prevention technology? These capabilities represent security layers that, when properly stacked on top of each other, provide a cohesive defense that raises the barrier of entry for hackers.
Enforcing the principle of least privilege wraps a further layer of security around your data. The number of privileged accounts should be limited, and those privileged accounts that do exist need to be identified and closely monitored for suspicious activity. Underpinning these capabilities should be a network architecture limiting attackers’ ability to pivot around the network if they get inside. Many organizations are beginning their Zero Trust journey with a focus on just-in-time privileges and zero-standing access. The idea should be to provide all users and services with no more than the necessary amount of access for the time it takes them to accomplish their tasks. The three principles of zero trust – verify explicitly, use least privilege access, and assume a breach will occur – is a key to laying a solid foundation to secure and protect accesses.
Privileged Account Management
Implementing best practices also provides compensating controls. According to reports, the hacker behind one of the recent incidents found the company’s network share that contained some PowerShell scripts. One of these scripts had admin user credentials for the Thycotic privileged access management platform, which was used to extract login secrets for internal services such as Gsuite, AWS, and other internal privileged accounts. While most organizations have the right approach to implement a privileged account management solution, in one incident, the admin account of the privileged account was left in a clear text file. This is poor credential hygiene and underscores the importance of not checking the box of having the tool but using the tool effectively. This must be done by having good security processes which ensure it will not add to the minefield of challenges we already face, as was the case for one of the recent breaches.
Technology and employees will still fall victim to social engineering even when you have all the right technology, and the right processes. Organizations must carefully consider the MFA implementation that works best for their users. Additionally, reinforce that strategy with a mix of security awareness training, and a defense-in-depth approach focused on securing identities and access. Organizations can build a stronger defense system by leveraging identities as the primary control plane to build an efficient and effective cyber strategy – early warning, good isolation, and (when needed) eviction of threat actors. Of course, one of the best ways of protecting passwords is by removing them from the equation. By choosing to take the journey of using making decisions which allow your userbase to use passwords less until you can become Passwordless is by far the most effective way of putting this challenge behind us.
The number of identities that organizations manage is witnessing exponential growth – 98% of organizations experiencing this trend and 84% of organizations (2022 Trends in Securing Digital Identities report) enterprises suffering identity-related breaches between 2021-2022. What is more alarming is that breaches are becoming a norm, but does it mean it should be acceptable?
– Chris Schueler, CEO, Simeio