Passwords Get a Bad Rep for a Good Reason
In the past year, MFA has become table stakes. SpyCloud’s recent 2022 Ransomware Defense Report found that 96% of organizations have adopted or planned to implement this measure, compared to only 56% in the previous year’s survey. Additionally, we learned that there were increases across credential monitoring and password practices as well since last year:
73%
of organizations monitor for compromised employee credentials
(vs. 44% in 2021)
49%
monitor for compromised partner and supplier credentials
(vs. 28% in 2021)
78%
have password complexity requirements
(vs. 59% in 2021)
These trends indicate an acknowledgment that password security is still a growing problem. And SpyCloud data shows just how big of a problem. Every year, our researchers recapture millions of exposed credential pairs (usernames and password combinations) from the darknet. In 2021 alone, the number reached 1.7 billion, a 15% increase from the previous year’s 1.48 billion.
Employees’ rampant reuse of passwords exacerbates the risks stemming from exposed credentials. In 2021, we discovered a 64% password reuse rate for users with more than one password exposed in the past year (up 4 pts from the prior year despite the cacophony of media articles on this very topic). This risky behavior makes passwords just a tiny bump in the road for cybercriminals trying to get inside your organization.
Considering the magnitude of the password problem, it’s encouraging to see that more organizations recognize the need to protect employee identities and are looking for ways to enhance defenses around passwords.
What About Passwordless?
Understandably, the security industry has been talking about doing away with passwords altogether. Lately, biometrics and passwordless authentication have been in the news – especially with the introduction of passkeys, an alternative to the traditional password, by Apple and Google. While this new authentication practice shows a lot of promise for securing identities, it doesn’t completely solve the password problem either.
Traditionally passwordless authentication mechanisms default to passwords as a backup if, say, the device used by the person as the “authenticator” is lost or stolen. In addition, some passwordless solutions also require MFA for added security, with passwords serving as the MFA layer. In other words, passwordless authentication is rarely truly less passwords after all.
As far as new security technologies go, passkeys are a positive development. But it won’t take long for cybercriminals to start stealing and trading passkeys on the darknet as they do with other types of credentials.
MFA a Bigger Target than Ever
With all this talk about MFA being a core option for better security, it still presents vulnerabilities. While our survey of more than 300 IT security leaders found that 77% of organizations have MFA in place, and 51% reported that MFA was already in ‘good shape,’ criminals have also found ways to exploit this defense layer.
Attacks showing how malicious actors circumvent MFA seem few and far between as far as attack headlines go. But for every highly publicized attack, there are numerous others happening behind the scenes.
Okta researchers found that MFA attacks are up significantly from last year and are “far exceeding levels seen in 2020.” Just in the first three months of 2022, Okta’s network logged about 113 million attacks that targeted bypassing MFA.
There are a number of ways to circumvent MFA, but one of the most effective methods is session hijacking. This tactic uses information-stealing malware (a.k.a. infostealers), man-in-the-middle attacks, or social engineering (using basic human behavior to trick a person into clicking on a malicious link) to steal the session cookie that’s stored temporarily in the web browser as part of the user authentication. The stolen cookie allows the attacker to bypass MFA because it fools the server into believing the malicious connection is the same as the original one.
With that stolen web session cookie in hand, the attacker can perform the same actions as the legitimate user, which could be anything from accessing your company’s data to gaining access to critical applications. As far as the server is concerned, the original user is going about business as usual — the attacker’s identity is indistinguishable from the authorized identity.
Know and Minimize Your Risks
One of the key findings from our 2022 Ransomware Defense Report was that organizations are feeling less confident overall about their defenses, including MFA. We noted an uptick in the number of organizations planning to upgrade their existing measures or add new ones, along with a decrease in the number of those feeling good about their security stack. This growing dissatisfaction indicates that despite the multiple defense layers, organizations recognize they continue to have gaps that are far greater than poor passwords.
Keeping in mind that cybercriminals are actual humans and know they can benefit from the path of least resistance, here are some ways to close those gaps beyond just trying to authenticate a user’s access:
Monitor for stolen cookies
While monitoring the criminal underground for compromised credentials is somewhat common, most organizations don’t monitor for stolen cookies, which enable attackers to impersonate users, bypass MFA, and launch attacks seemingly
Understand your hidden risks
If an employee’s personal or shared device is infected with malware, for example, it creates a huge attack surface since a single employee could be using that device to access dozens or even hundreds of your corporate apps and services. All of that stolen authentication data could be used to “walk right in” to your organization.
Enhance your malware infection response
Another frequently overlooked prevention tactic is what we call post-infection remediation – an approach to remediating malware infections that takes into account all of the exposed authentication data that was siphoned (information that’s actively in criminals’ hands and puts the enterprise at risk of attacks including ransomware). The key is having visibility into what’s been siphoned from both managed devices used by your workforce and unmanaged or personal devices used to access your network.
No authentication solution provides a magic bullet. With enough patience and ingenuity, attackers will eventually find a way to circumvent any defenses. Closing the gaps in order to protect your business continues to be top action for security teams and the more visibility they have into the various attack vectors early on, will ultimately be the ticket to success.
