The biggest problem with ransomware is not encryption, but credentials
With each passing day, the threat of ransomware increases in frequency, sophistication, and effectiveness. What started as a simple annoyance scheme to collect a ransom has evolved into a mature ecosystem of Ransomware-as-a-Service (RaaS) providers leveraging double- and even triple-threat extortion tactics to ensure their demands are met.
Today, no organization is safe. The RaaS marketplace has enabled both new and experienced cybercriminals to target specific organizations – based on size, industry, geography and whether they operate in the public or private sector – with state-of-the-art technology.
You should be worried – but about what?
The obvious concern about being the victim of a ransomware attack is being locked out from data, applications, and systems – making organizations unable to do business. Then, there is the concern of what an attack is going to cost; the question of whether or not you need to pay the ransomware is being forced by cybercriminal gangs, as 77% of attacks also included the threat of leaking exfiltrated data. Next are the issues of lost revenue, an average of 23 days of downtime, remediation costs, and the impact on the businesses’ reputation.
But those are post-attack concerns, and you should, first and foremost, be laser-focused on what effective measures you can you take to stop ransomware attacks.
Organizations that are truly concerned about the massive growth in ransomware are working to understand the tactics, techniques and procedures used by threat actors to craft preventative, detective and responsive measures to either mitigate the risk or minimize the impact of an attack. Additionally, these organizations are scrutinizing the technologies, processes and frameworks they have in place, as well as asking the same of their third-party supply chain vendors. Ultimately, they are working to identify the most critical systems that must be protected from ransomware.
However, none of that is where you should be placing your primary focus.
At the heart of all this, credential compromise is the leading cause of ransomware attacks, because credentials give hackers the access they need to hold your systems hostage. However, if you eliminate username/password credentials, you eliminate their easiest point of entry to your systems.
Focus on credentials
To understand the issue of credentials in ransomware attacks, one must understand what credentials really are. Credentials are a representation of your identity, and they usually consist of usernames and passwords, though businesses occasionally also layer in a second form of authentication (2FA) or more of them (MFA – multi-factor authentication). In this case, your “identity” in the credentials is the password, which most security systems assume is used by its rightful owner.
Unfortunately, these credentials can be stolen, shared, bought or hacked and used for achieving initial access. Once they gain entry, the threat actors will often look to compromise privileged access credentials to further infiltrate directory services.
A simple 8-character password can be cracked in 1 hour and a 12-character password in a few weeks. As computers’ processing speed increases and software becomes more intelligent, the time to crack a password will get shorter. Finding and using credentials has become easy; hackers (ab)use legitimate tools such as Mimikatz and Microsoft’s PsExec to dump credentials from a system’s memory and execute processes on remote systems.
Threat actors with less hacking experience can purchase stolen credentials. Threat actors can purchase low-level credentials for as little as $20, though credentials for admin-level accounts can be on offer at anywhere from $500 to $120,000.
Now that you know where to place your primary focus, how do you address the risk?
Why are usernames and passwords not good enough?
Username/password credentials inherently assume who is on the other side of an access attempt. With just a username and password, you are never actually attaching a verified identity to the credentials since anyone can use them. Even 2FA, MFA and biometric recognition systems like FaceID and TouchID only build on passwords and usernames – they certainly help in elevating your security, but they do not solve the core vulnerabilities with passwords and usernames. There are countless examples of one-time password hacking, SMS-jacking, SIM swapping, etc. – all demonstrating that if a threat actor is intent on bypassing two-factor authentication, they likely can.
This is not to say that organizations should not utilize MFA and secondary sources of security. There should always be more than one layer of verification to security systems, but for these measures to be truly effective, you must establish a verified identity tied to the credentials they are authenticating.
How to link identity to credentials
To start, you must change your mindset of what identity is and how it works into your security and authentication. Identity authentication relies on three elements: something you know, something you have, and something you are. The “something you know” is the most vulnerable form of authentication because if you know it, then someone else can, too. Yet, it is the heart of the username/password credential. To establish a verifiable identity in the authentication process, we must eliminate “something you know” and focus on “something you have” and “something you are.”
Identity verification and biometric authentication are gaining momentum with the recent Executive order on improving the nation’s cybersecurity. In it, President Biden called on federal agencies to move toward a zero-trust architecture for both on-premises and cloud-based environments. Zero Trust is based on the principle of “Never trust, always verify.” In the context of credentials, it means the organization does not trust that a request for access to a system, application or data is being made by the account owner until it is absolutely validated.
Validating identity following Zero Trust requires the combination of “something you have”, such as a driver’s license or passport, with “something you are”, such as a live biometric characteristic. Thanks to recent technological advancements, users can upload their government-issued documents to an organization’s security system, and their live biometric is verified against those documents at every login attempt. Users have now established and attached a confirmed identity to their credentials.
So, in the context of ransomware, this means organizations can drastically reduce even an experienced ransomware threat actor’s access to their credentials.
Where do we go from here?
As organizations work to identify a preventative strategy for ransomware attacks, the answer lies in looking at what threat actors use more often.
The credentials problem cannot be solved by simply eliminating passwords and usernames. Passwordless solutions are certainly the future, but they are useless without first validating a user’s identity.
Identity verification is the most important step in an organization’s system for providing access, and authentication cannot occur until identity is established. This is known as identity-based authentication and it is the foundation of effective security measures. Once identity is established with a high level of efficacy, password-based credentials become obsolete. The end goal is not passwordless solutions – the goal is identity-based authentication, with passwordless as a means to that end.
The success of ransomware attacks depends on the opportunities given to attackers. Adopting the right technologies will allow you to leave the band-aid approach to security behind, and to keep pace with the rising sophistication of attacks.