Identity Threats Are the New “Beachfront Property,” and Cybercriminals Are Moving In
Not good: researchers at the University of Illinois Urbana-Champaign have found that if you feed OpenAI’s GPT-4 a CVE advisory, it can exploit the associated vulnerability all by itself with an 87% success rate.
That’s up from 0% on GPT-3.5, by the way. Progress!
But really, why bother sneaking into a target environment via CVEs? “You need to be a complete hacker and have all these skills to exploit something like that,” notes Merium Khalid, director of offensive security at Barracuda Networks. “A threat actor will most likely leverage phishing emails or leverage some credentials that they have from the dark web.”
Though frankly, stealing or buying credentials sounds like an awful lot of work too when you can just bluff your way into a target environment, as the Scattered Spider ransomware gang did last year when it breached MGM Resorts.
“That wasn’t an advanced exploit or anything,” Khalid (pictured) says. “It was just someone talking to the support person and making them believe that they could share credentials.”
No problem, MSPs are thinking. My end users are all covered by MFA. Except they probably aren’t and even if they are, they’re still vulnerable anyway.
“There’s definitely ways to bypass it,” notes Khalid of MFA.
Of course, there’s nothing new about a lot of this. Social engineering, phishing, and black market credential marketplaces are about as old as hacking itself. But there’s clearly something new going on here, because attackers are leaning on identity threats much more heavily. Indeed, IBM’s X-Force recorded a 71% spike in identity-related exploits in 2023 and a majority of the top 10 high-severity threats detected by Barracuda’s XDR service last year involved identity abuse too.
Perhaps not coincidentally, meanwhile, IAM vendors figured in nearly $1.75 billion worth of security-related investment rounds last year, according to Richard Stiennon of IT-Harvest, a figure bested only by GRC vendors.
So what gives? Why is identity suddenly the hot new attack surface? Part of the answer is that we’re victims of our own success.
“We started getting really good at securing the endpoint,” says Kyle Hanslovan, CEO of managed security vendor Huntress. Anti-virus software is doing a better and better job of blocking attacks, EDR/XDR/MDR solutions are detecting and responding to most of the threats that get through, and companies like Huntress are successfully tracking down the persistent footholds that detection and response software misses. That has attackers pivoting from the endpoint to identity, which is more vulnerable.
“The threat landscape where the endpoint was king still exists, but there’s new beachfront property,” Hanslovan says. And threat actors are moving in.
That’s not the only reason identity threats are proliferating, though
There are other, larger forces at play too, all of which are thoroughly familiar to anyone in the channel:
1. Everything’s in the cloud. Which shifts some control over security from the end user to the cloud vendor. Or I should say vendors.
“You have an account for Microsoft 365, an account for Salesforce, HubSpot, maybe some other services,” says Gaidar Magdanurov, president of Acronis. “It’s much harder to track down where your stuff is and protect it.”
Furthermore, plenty of exploitable information about potential victims is right out in the open on social media sites and other freely searchable venues these days. “Chances are that for everybody, some information is available on the web,” Magdanurov (pictured) says. “Even if you’re James Bond, there’s something there.”
It doesn’t take much of that something to put you at risk of social engineering either. “If I know your address, I know your name, I know your zip code, maybe some other information, I can call in and pretend to be you,” Magdanurov says.
2. Everything’s integrated. Integrating cloud solutions makes businesses more efficient. Unfortunately, it makes threat actors more efficient too. Instead of breaking into multiple systems, they need only break into, say, your Microsoft 365 account.
“Then they use that M365 identity to move to many different SaaS applications,” Hanslovan says.
Unfortunately, the trend toward integration doesn’t always extend to MSPs. Bigger and more mature ones usually use Microsoft’s Entra ID or some other centralized IAM solution. Smaller, less experienced ones often don’t.
“I know a lot of MSPs that are kind of closer to break-fix shops. They just maintain whatever their customers have, and their customers may not have an active directory implemented properly, or they don’t have anything at all,” Magdanurov says.
3. Everything’s leveraging AI. Which is mixed news, per a study from consultancy CyberEdge Group this week showing that 97% of security professionals believe AI will benefit them and 96% believe it will benefit threat actors too. By and large, survey participants anticipate more good than harm, but there’s harm coming for sure.
In fact, it’s already here for identity threats, per a recent report from Perception Point documenting a 1,760% increase in social engineering-based business email compromise attacks thanks to generative AI. And just wait until deepfakes like those that helped attackers steal $25 million from a business in Hong Kong earlier this year become more common.
What you can do
The biggest reason identity threats are blooming now, though, is the same reason they’ve been prevalent for decades. They target people, and people are incurably fallible.
“At the end of the day, you can’t control humans,” Khalid says.
Here’s what you can do:
Get the basics right. Enforce MFA. Use single sign-on. Deploy a deep stack of proven security solutions. “You need to have complete protection,” Magdanurov says.
Train everyone, often. Especially about newer threats like deepfakes. “That’s the number one thing,” Magdanurov says. “Everybody has to be educated.”
Invest in AI. Just like the bad guys are. “You’ve got to fight AI with AI,” Khalid says. There are more ways to do so every week too, it seems.
Plan ahead for failure. It’s headed your way eventually, so have an incident response plan in place. “Also, do fire drills to see if it’s working,” Magdanurov says.
Be patient. Security vendors have only recently begun prioritizing identity security. They’ll get better at it over time. “I have eight years of building on the endpoint,” Hanslovan says. “I’ll probably have another eight years on identity.”
Feed your brain
Tune in to the latest episode of MSP Chat, the podcast I co-host, and hear the always edifying Jay McBain explain why selling to millennials, competing with accounting firms, and other long-term trends will require MSPs to upend many of their most settled assumptions.
The rise of junk gun ransomware
A couple months ago, I pulled together some data suggesting the outlook on ransomware (which was nothing but dire for years) is a bit more muddled right now. Allow me to do so again.
Buried in that CyberEdge Group report I cited earlier, beneath the GenAI headline, was this:
For the first time in five years, the percentage of organizations victimized by ransomware declined (from 73 percent to 64 percent) and the percentage of victims that paid ransoms fell below 50 percent.
Nice! And then just two days later along came Christopher Budd (pictured), director of the X-Ops threat response team at Sophos, to rain on my parade a little. Ransomware volumes, he says, aren’t necessarily rising anymore, but they’re not declining either, particularly among SMBs.
“Ransomware is kind of at static levels overall for small and medium businesses,” Budd told me.
There’s at least a chance they could start rising once more too based on an interesting piece of research Budd published this week about the increasing popularity on the dark web of so-called “junk gun ransomware.”
Junk guns (aka Saturday night specials) are cheap, crude firearms. Junk gun ransomware—which sells for $375 on average versus up to $1,000, reportedly, for more sophisticated variants—has similar attributes. It’s nothing new, Budd notes, but there’s a lot more of it lately.
“It’s getting big enough that when we are going out and looking for emergent trends, we’re able to spot it,” he says.
The forces driving that trend offer a revealing glimpse into cybersecurity’s criminal underworld. Ransomware-as-a-service subscribers, it seems, are getting tired of the (relatively) high prices and profit-sharing rules common with initial access brokers and big-time syndicates, which have been drawing unwelcome attention recently to boot.
“We’re seeing more and more law enforcement activity disrupting them,” Budd says.
Disturbingly, moreover, junk gun ransomware appeals to ransomware newbies looking for an inexpensive, 101-level introduction to the field, and there are suddenly more such folks out there. “People see it as a viable career path,” Budd says.
It gets worse. Small and midsize businesses are more vulnerable to junk gun attacks than bigger, better defended companies, according to Budd, and attackers know it.
“We see evidence on the forums themselves, and we’ve got some examples in our report, where the bad people are kind of self-selecting and viewing small and medium businesses as better targets for what they’re looking to carry out,” Budd says.
So is ransomware still spreading like kudzu, as it was before? No, and it’s not even the top threat SMBs face right now, according to Sophos’s 2024 Threat Report.
“But it’s still a threat,” Budd says, “and it remains a threat that can have potentially catastrophic effects when it happens.”
Also worth noting
Bitdefender’s managed detection and response service is now available in two tiers, MDR and MDR PLUS.
SentinelOne is partnering with Smarttech247 on mid-market MDR.
It’s also investing in SMB security startup Guardz via its in-house VC unit.
Keeper Security has added a passphrase generator to its Keeper Web Vault solution.
Trustifi has launched a new email security awareness module.
Sectigo has a new certificate lifecycle management solution for SMBs.
To help IT providers pay for all those new security solutions, D&H has extended credit limits for over 600 partners in the U.S. and Canada by an average of 50%.
New event notifications in Backblaze B2 Cloud Storage help users build automated workflows.
Proof positive that vCISO services (per my reporting for Channel Futures) are a hot new market for MSPs: vCISO platform vendor Cynomi just raised $20 million in new funding.