A review of a global cyber attack that ensnared multiple government agencies and other organizations found weak identity management technology continues to leave data and networks at risk, with a top federal cyber official underscoring the need to adopt phishing-resistant multifactor authentication.
The Cyber Safety Review Board’s report on the Lapsus$ group attacks, released last week, found a “collective failure” to account for the risks associated with using short message service (SMS) and voice calls for multifactor authentication codes. The group was able to pull off its intrusions in late 2021 through 2022 by using widely available Subscriber Identity Module (SIM) swapping attacks to intercept MFA codes.
“Despite these factors, adopting more advanced MFA capabilities remains a challenge for many organizations and individual consumers due to workflow and usability issues,” the report states.
Meanwhile, the report also found the group was able to gain entry into networks using stolen login credentials that anyone can buy online.
The organizations that used “mature, defense-in depth controls were most resilient to these threat actor groups,” the report found.
“Organizations that used application or token-based MFA methods or employed robust network intrusion detection systems, including rapid detection of suspicious account activity, were especially resilient,” it continues. “Organizations that maintained and followed their established incident response procedures significantly mitigated impacts.”
For Chris DeRusha, the federal chief information security officer and a member of the CSRB, the Lapsus$ review underscores the government-wide push to adopt phishing-resistant MFA as part of the federal zero trust strategy.
“It’s time for everybody to move off of that SMS stuff,” DeRusha said today at a conference hosted by FCW/NextGov. “It’s getting hacked by automated tools, and we’ve got to move with alacrity towards phishing resistant MFA, because it’s just driving without seatbelts, and we shouldn’t be doing that.”
DeRusha also acknowledged many agencies are still grappling with legacy technologies where implementing phishing-resistant MFA will be difficult, if not impossible, to do without replacing the systems.
“We need a 10-year modernization plan for legacy IT,” DeRusha said. “Since I’ve been doing federal government work back to early in the Obama administration, we’ve been talking about legacy IT modernization as the number one biggest rock that needs to get moved for us to be able to secure our systems. I think that’s still true.”
In addition to recommending technology providers “immediately” begin the transition away from using text message and voice MFA, the CSRB’s report recommends the government work with industry on a “secure authentication roadmap that can help organizations make the transition to a world without passwords.”
The board recommends the White House, the National Institute of Standards and Technology, and the Cybersecurity and Infrastructure Security Agency lead the effort.
“This roadmap should include standards and frameworks, guidance, tools, and technology specific to organizations’ needs and circumstances that account for size, industry, threat profile, as well as privacy and civil liberties considerations,” the report states. “This guidance should also enable organizations to assess their authentication maturity and progress toward leading practices, including password policies and strategies, zero trust architecture (ZTA) implementation, and authentication lifecycle management.”
Meanwhile, DeRusha also highlighted the recent Microsoft Exchange Online intrusion as another case for strong identity management. In that incident, suspected Chinese hackers were able to steal a private Microsoft encryption key to forge authentication tokens and gain access to the unclassified cloud-based email accounts of Commerce Secretary Gina Raimondo and high-level State Department officials.
“I think that when you look at state of play out there, and you look at the types of attacks our adversaries are employing — all you need to do is look at the recent Microsoft incident — identity needs to be the first starting point, it needs to be the core pillar of zero trust implementations,” DeRusha said.