Sophisticated attackers are regularly relying on identity-centric tactics to target enterprises, but the cybersecurity industry can’t effectively tackle this challenge without first better understanding where different organizations are - and where they are headed - in the process of implementing measures that can help verify the identities of privileged users, said Eric Goldstein, executive assistant director for cybersecurity for the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday.
Over the past few years, the nature of authentication for digital identities has been in flux, and multiple types of multi-factor authentication solutions have been made available, from security keys that are FIDO2-compliant (such as YubiKeys), to app-based authentication that leverages one-time password codes, to the less secure SMS-based two-factor authentication. While there have been studies outlining MFA adoption, Goldstein stressed that more information is still needed - from enterprises and from consumers in the broader public - to understand if things are trending in the right direction, and ultimately, if the levers being deployed are actually working.
“One of the biggest challenges that we face in this space… is to say, ‘how are we doing?’” said Goldstein, speaking at the Identity, Authentication and the Road Ahead event on Thursday put on by The Better Identity Coalition, FIDO Alliance and the Identity Theft Resource Center. “What is the percentage of consumer accounts that today require MFA, period? How many of those require phishing-resistant MFA? How many are using FIDO2 compliant methods? How about on the enterprise - how many admin and privileged users are required to use the right kind of MFA, or how many enterprise users generally?”
Right now, attackers are still regularly finding success in using a variety of identity-centric techniques, with the compromises of Okta, Microsoft and other tech giants in 2022 by the Lapsus$ group one glaring example. Other attackers are still using various methods from credential stuffing up to sophisticated phishing tactics bent on stealing both credentials and MFA prompts.
“Every significant breach that I can think of, that I have been a part of responding to over the past three years, has an identity and authentication component to it,” said Goldstein. “Whether that’s a password spray against an account that wasn’t using MFA, whether it’s some of the MFA fatigue attacks that we’ve seen from groups like Lapsus$, whether it is a more sophisticated attack like the compromise of Microsoft Exchange Online seeking to compromise and forge identity tokens. We are seeing, as the new cyber cliche has it, identity is indeed the new perimeter.”
While Goldstein said the industry has seen “really strong areas of progress” over the past few years, there are still challenges in understanding and implementing the various approaches to authentication. A joint release by CISA and the NSA in October investigated various complexity, usability, policy and adoption challenges as it relates to MFA and outlined how “there is a need for clarity, interoperability, and standardization amongst MFA variations to allow organizations to make value comparisons and to integrate these solutions into their environment.” Goldstein said CISA got its own look at some of these implementation hardships after the Biden administration’s 2021 executive order required federal agencies to adopt MFA practices.
“That’s been a real challenge, and we’ve been dealing with issues like legacy technology, constrained resources and systems compatibility issues - the same issues every organization outside of the government is struggling with,” said Goldstein. “We can do a better job about being transparent about the issues we’re seeing and embarking upon this journey but we have to have the call to action.”
That call to action is for more enterprises to publicly outline their strategy for driving 100 percent FIDO2 or phishing-resistant forms of MFA for customers, privileged users and employees, said Goldstein. The end goal shouldn’t be absolute perfection, but instead to get a deeper understanding of what’s working and what isn’t - both in terms of the protections themselves but also in terms of how these are being adopted and implemented.
“This transition can’t be an issue for the security team, it can’t be an issue for the identity team, it has to be a core business imperative,” said Goldstein. “The more we can focus on driving this evolution, [the more] we’ll get ahead of where we see the attackers already going.”