The oldest form of authentication
“Do you have my red sweatshirt”?
When my wife was a teenager, this was a phrase she’d use on the phone with her friends.
If the friend responded: “You left it at my house”, the coast was clear. There was no parent in earshot and sensitive topics could be discussed. The TLS handshake was completed. Channel secured.
Who would have thought that 30 years later we’d be back to safe words and secrets in the corporate environment to protect against threats.
And yet here we are. The latest high-profile, AI-driven social engineering attack was on Ferrari. What’s interesting about this attack is that it was prevented using the oldest form of authentication – shared knowledge verification. The targeted exec suspected funny business and decided to sniff it out by asking a question that only Benedetto Vigna, the (purported) CEO, would know the answer to. Social engineering attempt foiled! But it won’t be the last attempt, and although Ferrari dodged this bullet, others have not been so lucky. A few months ago, Arup, a British engineering firm, fell prey to an AI-driven social engineering attack and wired £20m to the attackers.
AI is going to be awesome. But it’s also going to suck. And by suck, I mean bring new challenges that we’ll have to address. AI’s ability to generate realistic voice and video deep fakes has opened up entirely new avenues for social engineering attacks that were previously relegated to only the most sophisticated of attackers. We’re in the early innings of deepfake-based social engineering attacks and advanced phishing attacks and we should expect things to get more sophisticated and higher volume. So let’s start talking about it to get ahead of the problem.
What can be done about it
First off, recognize that there will be no magic bullets. But there are some basics that companies can start to think about implementing to get ahead of these threats:
- Strong authentication and short session lifetimes: Users should be authenticated using phishing-proof or phishing-resistant authenticators such as push notifications, u2f tokens, or passkeys. This ensures that credentials can’t be hijacked and lessens the likelihood that an attacker will be able to use an existing system to establish trust with the target. For example, it’s easier for attackers to establish trust with a victim when using the attacker’s systems, accounts, and email.
- Multi-human approvals + Transaction MFA verification: High-value transactions, system access, and permission escalation should use multi-human approvals with MFA verification. Using just-in-time access, you can require that users verify credentials to escalate and/or approve privilege escalation to perform high-value transactions. This forces those *asking* for the work to be completed to authenticate themselves before privilege escalation can proceed.
- Education and awareness: Never to be overlooked. Don’t underestimate the value of good old-fashioned awareness to help employees understand these new types of attacks, how they work, and what they look and feel like. Employees are the front line of preventing access-based attacks.
- Shared knowledge tests: This low-fidelity way of testing identity is easy to implement. “Hey … where did we grab dinner two weeks ago?” This approach is not systematic, but given proper training, employees should be aware of these types of attacks. And, given the awareness, and if they suspect something is funny, they can ask basic shared knowledge questions to sniff out phishy-ness.
Note: Certainly there are other patterns and technologies that will evolve to help prevent these attacks directly. That said, never underestimate the value of implementing basic best practices and controls. 99% of security is doing the boring stuff well.
How ConductorOne can help
There are no silver bullets, but ConductorOne helps businesses be more secure every day by eliminating standing permissions (which might be taken advantage of) and achieving just-in-time access control for privilege escalation and approvals. These basic tools help reduce the blast radius of a cybersecurity attack and can prevent attacks that depend on privileged actions or escalation.
