On Cyber-Attacks and Authentication Credentials: Cyberdefense’s Weak Underbelly

Sometimes the news can numb you to vital information.

The cascade of cyberattacks from the WannaCry ransomware that encrypted hospital computers to the Dyn attack that took down large swaths of the internet, to the most recent GoldenEye (or Petya) malware that is still sweeping the globe, the parade is never-ending. In a recent article in the New York Times, IDT Corporation’s Global CIO Mr. Ben-Oni outlined an attack on his company that is worth reading closely for several key take aways.

A deep investment of millions of dollars in anti-virus, intrusion detection and firewall systems, did not prevent the critical attack that masqueraded as ransomware but was really aimed at stealing employee credentials to create an ongoing compromise of IDT’s systems. According to the article, Mr. Ben-Oni followed advice that he had received from an N.S.A. employ and deployed three firewalls, three antivirus solutions, and three detection systems. Mr. Ben-Oni was rigorous in subscribing to 128 publicly available threat intelligence feeds, 10 subscription threat intelligence feeds (costing IDT hundreds of thousands of dollars annually) and each and every preventative measure he put in place failed to catch the attack.

What is vitally important is that the attackers were after employee credentials. Once you compromise authentication, you have the keys to the kingdom and you can take your time emptying out the vault.

Also, note that the layered network defenses from some of the foremost vendors in the world failed to protect against this attack. Millions of dollars were spend on modern-day detection systems were ineffective in protecting the company.

What can we learn from this? First - we must use Multi-Factor Authentication rather than single credentials - particularly ones that can be harvested and replayed against us. Second, the Cyber-Defense playbook needs to be changed to prioritize the strengthening of credentials over the layering of network defenses. There will always be zero-day vulnerabilities and tools such as the leaked NSA “Double Pulsar” that will be used to get past these network cyber defenses. The integrity of our systems, networks and computing infrastructure at a corporate and national level, relies then on securing the core authentication credentials that are the keys to the kingdom.

The attack demonstrates that network oriented approaches are mere “band-aids” without using some accompanying “antibiotics” - the important first step is to secure authentication and then layer on the network defenses. There’s a failure in critical thinking when we continue to pour hundreds of millions of dollars into a failed defensive strategy while neglecting core defenses. Authentication is under attack as the weak underbelly of cybersecurity.

It has been a while since I looked at the combined dollars going into the network oriented cyber defensive companies relative to those offering strong authentication but I see some tipping points ahead as we start to rethink cyber-defense from the ground up and start to secure authentication. When we founded the FIDO Alliance and worked on its core protocols (FIDO-UAF and subsequently U2F and FIDO2.0) a principal design goal was to prevent scalable attacks by dramatically raising the cost of attacking authentication and we have achieved that quite well.

Beyond this specific attack on IDT, the last Verizon Data Breach report estimated that 81% of cyberattacks involved a stolen or compromised authentication credential - that is a stunning indication of where our underbelly lies. At a recent industry conference, both Google and Microsoft spoke about their identity-aware proxies as a layered defense mechanism for their cloud services. Separately, FIDO Alliance was spoken about extensively by NCCOE, NIST and many private companies such as Microsoft and Google, as a key building block for security & identity. At Nok Nok Labs, we are working on a closer integration of device/user and network authentication. Perhaps the IDT attack and the alarm bells sounded by Mr. Ben-Oni will persuade smart CIOs and boards to actively accelerate changes in their authentication strategy.