“Knock, knock.”
“Who’s there?”
It’s the question that’s easy to ask, but hard to answer. In cyberspace, how do we really know who’s on the other side of the door? The issue of establishing identity has been around as long as humans have inhabited the planet.
Since the beginning of recorded history, establishing identity has been an evolving and constant challenge. In war, making an adversary believe something strikes at the hallmark of deception. During World War II, the British launched Operation Mincemeat to deceive the Germans into believing that Greece and Sardinia were the actual targets of the invasion, not Sicily.
According to the Imperial War Museums: “to ensure that the Germans swallowed the deception, it was necessary to create a detailed false identity for the body, which was that of a homeless laborer who had died after swallowing rat poison.”
Identity works to confirm the person is who the person on the other side thinks they are. But deceptive identity has been designed to trick people into believing the person presented is who they “claim” to be, not who they really are.
The invasion of Sicily and Operation Overland, the invasion of France, depended on “crickets,” child toys at the time that made a click-clack sound. During Operation Overlord, the challenge-response system helped the Allies identify other Allies.
If this seems like a history lesson, it is. Over thousands of years, the tactics used to establish identity and trust have changed very little. However, the tools have changed significantly. Yet, as much as history can teach us, we seem to forget the importance of establishing a perimeter through the use of identity.
Recently, several leading senior executives at Microsoft had their accounts compromised by a threat actor called Midnight Blizzard. The actor used a password-spray tactic, gained an initial foothold, elevated privileges and accessed some very sensitive information.
In September 2023, an affiliate of the ALPHV/BlackCat ransomware criminal group claimed responsibility for the attack on MGM Resorts International. According to vx-underground, “all ALPHV ransomware group did to compromise MGM was hop on LinkedIn, find an employee then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”
No one is immune, even federal law enforcement. In May of 2022, the Drug Enforcement Administration (DEA) suffered a serious breach when bad actors, armed with a valid username and password, accessed the Law Enforcement Inquiry and Alerts (LEIA). As a former detective, I can attest to the sensitive nature of the information in the system.
So, two-factor or multi-factor authentication should help, right? In 2016, a helpful help desk IT support technician (the nemesis of secure log-ins) told the caller not to worry about being unfamiliar with how the tokens worked to gain access. The caller, a self-described hacktivist, let the help desk walk him through the process with a two-factor code provided by the support technician.
The result?
Access to “personal information of approximately 9,000 DHS employees and 20,000 FBI employees.” Not a good way to start out 2016.
Hackers don’t break in any more. They log-in. According to the 2022 Trends in Security Digital Identities:
- 84% of respondents experienced an identity-related breach in the past year.
- 96% reported that these breaches could have been minimized or even prevented by identity-focused solutions.
- 78% reported direct business impacts such as reputational damage and the cost of recovery post-breach.
Have we learned? The 2023 report showed a trend that should cause concern. Only half (49%) of the respondents report their company leadership proactively invests in securing identities. We can no longer consider identity only as a characteristic of a user. It’s the front line of defense – the new perimeter.
Why has identity become a main vector of attack? Some might say the advancement of cybersecurity is the culprit. As a whole, we’re getting better at defending and protecting our assets, endpoints, cloud workloads, and so on. But we’ve taken our eye off the ball just enough to give attackers an effective mechanism for continuing to ply their criminal trade.
Sun Tzu understood this centuries ago. He noted, “all warfare is based on deception.” As machines evolve, they get better and faster. Humans, not so much. Many still fall for the Nigerian Prince email scam.
Morgan Wright, chief security advisor, SentinelOne