Identity security and authentication are having their time in the spotlight. But what should organizations and enterprises prioritize when it comes to securing their user base – to stay resilient against new-age threat actors?

Axiad’s chief marketing officer, Joe Garber, discusses this topic and more with the newest member of Axiad’s board of directors, David Kennedy, in the first episode of the Cyber Resilience Vlog Series. Click here to view the full video. The full transcription of the episode follows.

Joe Garber: Welcome to the first episode of Axiad’s Cyber Resilience Vlog Series. I’m Joe Garber, chief marketing officer of Axiad, and today we’re delighted to welcome one of the world’s top subject matter experts on cybersecurity, David Kennedy. David is the founder of two security industry success stories, Binary Defense and TrustedSec. He’s also served as a chief security officer, is an accomplished author, is a consultant for a well-known TV show, a former Marine who has been deployed multiple times on intelligence missions, and has been called upon to testify in Congress regarding merging security requirements. So, I think it’s fair to say we have a very good discussion in store today. Thanks for joining us today, Dave.

David Kennedy: Thanks for having me on Joe, and I need you to do the intro for me from here on out. You can come to my presentations and record those, it was really good, thanks.

JG: I appreciate it, thanks so much. Let’s get right to the good stuff with my first question for you. It seems like identity security and in particular, authentication, is in the spotlight recently. Have you seen this trend, and why do you think it’s so important at this juncture?

DK: You know it’s interesting. You look at where adversaries have come from to where they are today. Corporations and companies continue to invest in cybersecurity, products, and technology, yet passwords and authentication almost always end up being one of the root cause issues we see from a breach perspective. Over at Binary Defense and TrustedSec, we have dedicated incident response teams; we monitor for intrusions all the time. And it’s interesting to see – you look at the root cause analysis for most of these, credential stuffing ends up being one of those as well. You see sophistication and specializations occurring now and a lot of the different types of ransomware groups. For example, there was a ransomware group recently that specializes in trying to circumvent multi-factor authentication (MFA) for corporations that already have it installed and implemented, using the phishing models, and ways to redirect people, and things like that. So, they’re getting more and more advanced with it, and when you look at identity and look at an individual within an organization, when they’re handling the authentication components and understanding who they are, that’s not really being challenged today. You usually have a text message or push notification or maybe even nothing at all.

I think there was a statistic at Microsoft’s Blue Hat that 76% of Microsoft’s customer base still didn’t have MFA deployed on Microsoft 365. So, you have all these problems around authentication, around authorization, and proving who the identity of an individual is – and it’s important to understand most of these attacks are occurring from those types of things. We saw Colonial Pipeline happen a couple years ago that was specifically from a backup VPN concentrator that didn’t have MFA occurring. The one from Uber is also another interesting one where they had a contractor, and the adversary had bought credentials online and they spammed the contractor with the push notifications. And the first, I think, 16 times the contractor had denied them but the seventeenth time, he hit approve, and it allowed the attacker directly into their environment and eventually caused havoc there. Those types of attacks can happen to anybody, it’s not a knock on any organizations there.

Users are still by far the number one area that adversaries and attackers go after. It’s rarely a flaw on the outside perimeter that these attackers take advantage of because there’s so much low hanging fruit around the person, the individual for these attackers to go after. And once they get access to an individual person or an identity, they start accessing the systems they have access to, gathering more information and from there, doing additional post-exploitation scenarios. So for me, the biggest thing corporations and companies should focus on is their user population, passwords, and how people authorize and access different systems and how you control all that. HR has systems here, sales has different systems – you have different disjointed systems that don’t focus on authentication and authorization of those individuals. There’s a lot of problems that we have. And even moving into the cloud, you start talking about cloud infrastructure, you have a big issue there around visibility and who’s authenticating where, and the type of systems you have. It’s a big mess right now that I think companies have to deal with.

JG: You mentioned phishing as part of that discussion there. We’re seeing a lot more news about being phishing resistant, CISA, NIST and others. Is being resilient to phishing really that important with so many other problems to solve in the enterprise?

DK: I think IBM released a report in 2022, that of all breaches that occurred last year, 22% originated from phishing campaigns and out of those, the net medium time to be identified was over 200 days. So, it’s a major problem. Most breaches largely occur either from credential stuffing, through passwords, or phishing attacks – those are the two largest that combine to be the most amount of exposure that corporations have. And I can tell you a lot of my history on the offensive side deals with social engineering and phishing campaigns. And you always hear about artificial intelligence (AI) and everything else. What’s interesting about things like ChatGPT that we’ve seen from a lot of adversaries – they’re using ChatGPT to help generate more believable phishing campaigns, especially in non-native English-speaking countries because it’s so good at contextually understanding the English language. So, they’re getting more sophisticated with technologies we use every day.

You saw early on in ransomware where they were using their own home-grown encryption which introduced flaws or using military-grade encryption now within their own tooling and the APIs and cryptography within their own systems. So, phishing ends up being one of the largest attack surfaces that we have and users (you can see a common theme), end up being one of the largest attack surfaces because of the exposures they introduce. One user that clicks on one link happens to give some sort of information or open up some sort of document that allows for code execution or to gain initial access onto a system. And then from there you’re really hoping that the company has monitoring detective controls to stop it or preventative mechanisms to stop that code execution. But what we’re seeing from the adversaries is they’re continuously crafting and changing the ways that they do things, so it becomes very complex in these companies. Especially again, cloud infrastructure, on premises, hybrid – these things introduce complexity that create these types of issues.

I’ll give you a quick story: we do phishing campaigns quite often and the more believable you can make a phishing campaign, the higher probability of success you’re going to have, obviously. So, there’s an attack we did recently on a Fortune 500 company. We sent a text message out to an individual that we were targeting. And we used what’s called open-source intelligence gathering through LinkedIn, through other common criteria and types of data sources. We were able to look at what types of technologies their organization was using, because everyone on LinkedIn wants to talk about their experience, and the technologies they’ve worked on. So, we saw they had a specific MFA solution in place. So what we did was send them a text message the day before we were going to launch the attack and said “Just FYI, the system we use for MFA is currently undergoing upgrades, you may have to hit approve again through your MFA solution – specifically naming their MFA solution – tomorrow when we start to do maintenance. Sorry for the inconvenience, if you have any questions, reach out to us.” And it was a phone number and email address that went to us obviously. So, we send this text message out and the next day, we sent a push notification. We were able to get this individual’s credentials through a different method and we sent a push notification out to this individual and they hit approve literally two seconds later. And then we had access to their VPN concentrator.

So, phishing is definitely a major problem and lot of threat actors have moved toward the text messaging of phishing or smishing, and then getting access to systems from there, and it’s typically harder to detect that way because you don’t understand unusual behavior from users in most organizations and environments.

JG: Wow that’s a great story, very interesting. With limited time, I’ll go to our last question. I know you’re an expert on far more elements of the cybersecurity market than just authentication and phishing. What other cybersecurity trends are you watching that could have an impact on identity security practices, or the cybersecurity market overall, over the next two to three years?

DK: I think the push to move off of passwords is huge. We have to kill passwords in everything that it deals with. And that’s a very complex situation because you have to have partners with all these organizations, standardization of formats, and integrations that all these companies support in order for you to really get to that. But I envision a day where you pick up your iPhone, you authenticate through your iPhone and then you can have access to everything possible you can imagine from resources, identity, and everything else that’s fully compatible with all the other systems and integrations you have there. It’s important to keep it as easy as possible for users. We find time and time again, users just error. Not everybody is a cybersecurity expert – but even cybersecurity experts error all the time. So, it’s one of those things where we really have to make sure the technology is as easy for humans but also recognize that it’s going to get more complex.

You look at where systems are heading today, companies are expanding on an accelerated rate to enable their businesses and technology. Security must support that, but it has to support that in a way that doesn’t introduce new exposures to the infrastructure. And that’s where you hear a lot of the common terms around Zero Trust – which is a really big push – to minimize the roles and permissions users have, and the access they have, which ultimately will help to reduce the attack surface that organizations have across their enterprise. And, I think you’re seeing a lot of the shift from on-premises and to continue to move toward the cloud, which is great. But the issue I see with companies is they don’t have cloud security experts. They plop everything into the cloud but they don’t necessarily know what they’re doing and it becomes unstructured and chaotic. There are systems out there that they don’t know about. It’s very difficult to manage and maintain. They have loose integrations with other systems, they have 70 different passwords they have to remember from all these different cloud providers, and again with the promise of keeping things not complex, doesn’t necessarily hold up.

So, I think organizations need to look at, when adopting new technology, how do you keep it as simple as possible for the users while also reducing your attack surface out there? And I think that’s going to be a common trend across the board. Obviously, everyone is talking about generative AI and where AI kind of fits in the marketspace, especially in cybersecurity. I think there’s a lot of approaches there that can simplify how we look at attacks in environments, especially around data telemetry and the identity side, and how that applies. The issue that we’ll run into is the type of unstructured data we have to deal with is very complex so the modeling around that is going to be very interesting, to see how that applies to cybersecurity.

But I’m very optimistic. Companies are doing a lot more around cybersecurity. We’re seeing increases around funding and budget – 12% a year, but 22% over the next two years. So, we continue to see an increase in spend, however, we need to make sure the spend is focused on the right type of things. And I think everyone thinks they need to spend it on all these type of things over here, when it really comes down to the users, phishing prevention, making sure you can identify who that individual is, and authorize them to access the type of data and look for anomalies in that type of authorization access control. And then from there, kind of pushing everything out. There’s a lot of good stuff happening, it’s just if you do everything at once, it seems overwhelming. Focusing on the basics I think is the most important.

JG: That’s right, make sure the spend is focused on what matters most, that’s a great comment.

DK: Ultimately, at the end of the day, Joe, our job is reducing risk, right? And we’re not doing a good job if we’re trying to reduce all the risk in the organization, because that’s not possible. Focusing on the most important risk reductions, which at the end of the day, our highest probability in breaches come from the user population, so let’s focus on those.

JG: Thanks Dave, I appreciate it. That’s all the time we have for today’s episode. Again, we sincerely thank Dave for his wisdom and insights. And look for other episodes of Axiad’s vlog series in the near future, where we’ll share additional thoughts from a variety of different security experts including some of our customers, partners, and, of course, other thought leaders like Dave. Thanks once again Dave for your insights.

DK: Absolutely, thanks for having me today.

To see how Axiad can help your organization start moving to a passwordless future, please visit our website: https://www.axiad.com/.