Lock and Key: Compromised Credentials and Growing Ransomware Threats
The current practice of investing in more and more tools in the wake of a breach creates less visibility into the attack surface.
We see the headlines every day – ransomware attacks taking down corporations and organizations. Words like “cyberwar” and “cyber attacks” dominate the news today. Where is all of this leading? Will we have a future without a perpetual cyber crisis? Dave Pasirstein, Chief Product Officer & Head of Engineering at TruU, discusses the need for secure credentials in a world characterized by ransomware attacks.
The long-term damage from cyber-attacks is well documented and goes far beyond any potential injury to the brand or bottom line. Unfortunately, the current practice of investing in more and more tools in the wake of a breach creates less visibility into the attack surface. Worse, it creates more silos and bolt-on solutions that legacy environments were never designed to support. It creates substantial user friction and damage to the customer journey. And it erodes the efficacy of control, leaving many organizations and their customers exposed.
Risk, specifically from ransomware, has been steadily rising in every industry sector because of the monetary value of so much confidential data and in part because threat actors know that most companies are ill-equipped to defend against it. Currently, estimates put the average cost of a ransomware attack between $750 thousand and $1.5 million, depending on whether the victim paid the ransom or not—a hefty sum for most organizations and potentially cataclysmic for those that are unable to cover the cost of either the ransom payments or the necessary remediation efforts.
Root Causes for the Ransomware Explosion
Ransomware as we know it, with all of its variants, has been targeting organizations around the world for more than a decade, but it’s just in the last couple of years that we’ve seen a veritable explosion of ransomware threats. In the post-Kaseya era, somewhere between 800 and 1500 small to medium-sized companies are believed to have experienced a ransomware compromise through their managed services providers, allowing threat actors to circumvent authentication controls, which underscores the many, many vulnerabilities in a given organization’s ecosystem that are ripe for exploitation.
There’s little doubt that outdated systems, human mistakes, and insufficient cyber defenses play a role in ransomware’s rise, but bad actors have also become quite adept at launching threats using many attack vectors at once. Email phishing campaigns, software vulnerabilities, and malicious remote access tools are all used to launch these pervasive attacks. Worse, hackers continue to exploit vulnerabilities associated with COVID-19, which led to increased phishing attacks by almost 700%. Such evolving threat variants and techniques make it hard for security experts to keep up, while platforms such as ransomware as a service (RaaS) make it easy for anyone – even bad actors with little to no technical skill – to launch ransomware attacks against their victims of choice.
The Downside to Digital Transformation
When a ransomware attack is successful, the damage to customer service, the drain on IT resources, and the high recovery cost can be devastating. Financially motivated cyber criminals have increased their targets since the start of the pandemic, well aware that the anxiety surrounding the spread of COVID would make even typically wary users more susceptible to attack. Threat actors increasingly use APT-style tactics to gain a foothold, then they perform lateral movement and credential theft to exfiltrate data before deploying the ransomware.
Unfortunately, hackers have found it easy to attack with ransomware because of the rapid adoption of IT for digital transformation and remote work initiatives without attendant increases in security solutions or practitioners. Weak, stolen, or compromised credentials are often the fastest way in because passwords are plentiful and easy to hack. In other words, hackers don’t have to go through the trouble of breaking in when they can login with stolen passwords and deploy the ransomware with elevated privilege. 81% of data breaches start this way, making passwords the biggest attack vector in the modern enterprise. And even though more than $16 billion was spent on identity and access management (IAM) solutions in 2020, the problem continues to worsen.
Existing multi factor authentication (MFA) tools are simply insufficient, often only applied to a limited number of systems as a second factor; they may improve a poor security posture for those limited number of systems and a subset of attacks such as credential stuffing, but they do nothing to prevent phishing, password credential theft, or SIM swaps. They do, however, cause significant user friction and workflow interruption, which hinders their adoption and use. But the push to fully remote workforces and the strain of layoffs, rehires, contractors, and role changes exposed the frailty of homegrown, manual identity governance and paved the way for renewed interest in passwordless solutions.
The Power of Going Passwordless
Successful passwordless deployments must reduce complexity, end fragmented user experiences, and streamline use-case support to drive down cost. To remove the ransomware threat from compromised credentials and support a secure, easy-to-use solution, organizations must eliminate credentials altogether with a fully passwordless experience based on true identity and industry standards like FIDO and FIDO2; deploy continuously validated identity based on behavioral and environmental signals; and create a friction-free user experience.
Security and ease-of-use tradeoffs between biometrics, smartphone as token, or hardware tokens are also important, as is vendor support for operating systems, browsers, and endpoint devices. Importantly, a strong passwordless approach must still support an overall MFA strategy with a means for risk-based, step-up authentication that takes into account the need to secure access to apps built to support only passwords. But at the end of the day, if we want to better protect ourselves and our customers from the devastating effects of ransomware, we need to eliminate the threat of compromised credentials and continuous passwordless authentication is the fastest, most viable route to success.
Is going credential-free really the only way to combat cyberattacks? What other strategies can you think of? Share with us on LinkedIn, Twitter, or Facebook. We’d love to hear your thoughts!
