As digital transformation continues to change the way we do business and interact with various entities and organizations, cyberattacks continue to intensify and compromise user accounts and identities. Identities are the largest attack vector with weak/compromised credentials and phishing attacks being two of the most successful type of attacks.
Organizations are taking notice, and many have implemented various security controls such as multi-factor authentication (MFA), single sign-on, and training employees to identify a phishing attack. Additionally, many run ad-hoc simulated phishing attacks to evaluate employees and retrain them to identify phishing attacks on an ongoing basis. While these trainings have been found to be effective in educating employees on what a phishing attack is, how phishing emails look, and what to look for when trying to evaluate the authenticity of an email, quite often employees are engrossed in their daily tasks and activities and will at some point get tripped up and click on a phishing link, whether simulated or real.
At the same time, threat actors are getting better at disguising phishing attacks, with entire criminal organizations dedicated to building services like phishing-as-a-service for other cyber criminals to use in their targeted phishing campaigns. In addition, AI technologies are also being adopted by bad actors to aid in the development of cyberattack campaigns, with services like WormGPT (a generative AI tool for bad actors similar to ChatGPT) that allow adversaries to launch sophisticated phishing and business email compromise attacks with relative ease. These malicious AI tools use the latest marketing and branding from your websites and learn from previously successful phishing campaigns to create highly accurate phishing campaigns that can evade even the most trained eye from identifying the phishing email.
How can organizations protect against phishing attacks?
Organizations need to stop relying on employees to identify phishing emails and move to implement security solutions and controls that can prevent phishing attacks from compromising an individual’s identity. They can start by moving to a completely passwordless solution, eliminating one of the largest attack vectors – namely weak or compromised credentials. In addition, not all MFA is the same and offers varying levels of protection against MFA bypass attacks. Moving to phishing-resistant, passwordless MFA along with single sign-on (SSO) capabilities will help prevent phishing campaigns from successfully compromising a user’s account.
What is phishing-resistant passwordless MFA is and how does it prevent phishing and other MFA bypass attacks?
Phishing-resistant MFA involves high assurance authentication with the use of cryptographic keys and digital certificates, as well as requiring the physical proximity of the user to the device from which they are requesting access to a resource. There are a few passwordless MFA options that offer phishing-resistance, namely FIDO2 keys, passkeys, and certificate-based authentication with Bluetooth proximity detection.
Certificate-based authentication (CBA) is considered the highest assurance of these options. It involves the use of verified digital certificates assigned to a user and devices from which a user authenticates themselves, along with a Bluetooth proximity requirement. This ensures the user is in close physical proximity to the device from which they are accessing a resource and that the device itself is also a trusted device with a known valid digital certificate assigned to it by a certificate authority.
How to protect against common MFA bypass attacks with CBA
SIM Swap Attack – This type of attack involves taking over a user’s mobile number by having it transferred to a SIM card owned by the attacker. However, with CBA, the certificates tied to the user and device reside on the original device owned by the user and protected with biometrics, ensuring that attackers will not be successful in compromising the user’s identity.
MFA Prompt Bombing – In this scenario, an attacker will trigger MFA push authentication notification on a victim’s mobile device in the hopes of a user accepting one of the many prompts and granting access. With CBA, an attacker will not have access to the digital certificate on the user’s mobile device and in addition will not satisfy the physical proximity factor requirement as they initiate such attacks remotely.
Adversary in The Middle (AiTM) – In this type of attack, cyber criminals set up a reverse web proxy with a phishing site in between the victim and the legitimate application, or webpage. With CBA, attackers cannot successfully compromise a user’s identity as they will not have access to the certificate assigned to the user, as well as the certificate issued to the user’s device to make it a trusted device, thereby protecting against an AiTM attack.
Holistic and layered defense with Zero Trust
Given identity is one of the largest attack vectors, protecting against most common identity-led attacks with phishing-resistant authentication is a critical part of a Zero Trust framework, which provides organizations with a comprehensive set of controls to implement a strong proactive defense to protect against and reduce the impact of a breach when one occurs.
Learn more about how you can enable phishing-resistant identities and implement a comprehensive Zero Trust strategy across identity, devices, network, applications, and data with solutions from Entrust here.