There were so many topics CISOs pulled the curtain back on in regards to current team struggles, challenges and concerns that we had to break it down into a two-part blog set. In our blog, We Asked, They Answered: Hot Topics CISOs are Concerned About, we discussed malware, the growing attack surface, and how automation benefits SOC teams. Here, we dig into current and ongoing concerns like authentication methods and ransomware defense vs. response plus offer three key actions security teams and leaders can take now to protect their organizations.
Evolving Authentication Methods Create New Threats
Multi-factor authentication (MFA) was a hot topic in our discussions with CISOs, though it does present challenges in and of itself. While they recognize the importance of MFA, they also shared that it can sometimes be difficult to implement and cause perceived friction for users who get frustrated with additional authentication steps. And while MFA is a necessary layer of defense, it’s not infallible – MFA prompt bombing and session hijacking using stolen session cookies exfiltrated by infostealer malware are just two ways bad actors can bypass MFA and gain illegitimate access to your network making these measures obsolete from the jump when they land in the wrong hands.
With the realization that MFA still has room for improvement, new authentication methods such as passwordless options like passkeys sound intriguing, but they still present challenges and gaps.
In our recent three-part blog series on the passwordless future, we discuss security risks that come with these new advancements. While passwordless authentication options are gaining traction, the inherent risks they bring cannot be ignored. For example, session hijacking is one form of cybercrime enterprises can’t underestimate – using web session cookies exfiltrated by infostealers, criminals can bypass any strong authentication method, whether a username + password, MFA, or passkey. And while passkeys are garnering more attention and usage, they are not immune to compromise and session hijacking can still render them irrelevant. As security teams research and implement passwordless options with the intent to enhance organizational and individual security, they still need to be aware of the critical threat session hijacking poses as passwordless options and passkeys grow in popularity.
The bottom line: as more ways to authenticate identity are developed, bad actors will find more ways to exploit and bypass them despite their best intentions.
Proactive Ransomware Defense vs. Complacent Ransomware Response
Something we heard all too often is that CISOs now perceive ransomware as inevitable, so their focus is on how to minimize impact when an attack happens rather than proactively preventing an attack. This insight made us do a double-take, because quite frankly it doesn’t have to be that way.
In our discussions with security executives, we found it disheartening that they’ve become so focused on the response component of an attack rather than taking steps to actually prevent a costly cyber attack. It seems the consensus is that getting ahead of the bad guys is a challenge, so minimizing the impact of an attack is the preferred focus.
CISOs actually can prevent ransomware attacks by focusing on cutting off entry points that are being exploited now. By fully and immediately remediating credential and cookie exposures for critical workforce applications affected by an infostealer malware infection, businesses can shut down entry points for ransomware.
A Call To Arms
One thing’s for certain after these recent interactions with CISOs: they need a layered, complementary approach to security that reduces complexity rather than adding to it — an “Ecosystem of Response” if you will, as one CISO coined it. Security leaders are prioritizing getting the most out of the current tools their SecOps team have both through automation and having documented processes in place with how you use them. With the proper automated tools and processes in place, and visibility into the ever-growing attack surface, CISOs and their teams can take a proactive approach to cyberattacks rather than focusing on reactive strategies.
To further support this effort to build and sustain stronger processes and utilize resources effectively, we’ve outlined three actions any security leader or practitioner can take to immediately make an impact on their overall security by properly responding to malware-infections and mitigating cybercrime such as ransomware with proper prevention and preparedness:
Enhance existing incident response playbooks and protocols to properly remediate malware-infected devices through automated workflows.
When a malware infection is identified, think beyond the machine-focused remediation of wiping and reimaging the device. Consider the identity data that may have been exfiltrated and ensure compromised passwords are automatically reset and active web sessions are invalidated. Need more insight? Download SpyCloud’s Post-Infection Remediation Guide which outlines actionable steps you can take to visualize the full threat of a malware infection and minimize the risk of exposed data from this threat can have on your organization.