Identity Gaps: The Need to Use Both x.509 & FIDO

Over the last month, several large organizations suffered from major cybersecurity breaches involving stolen credentials. These security events highlight a few important things, including the widespread risks associated with unmanaged identities and the urgent need for stronger policies and protocols in this critical area of security. It also underscores the fact that as organizations continue to move their data to the cloud, they remain vulnerable to traditional hacking tactics, such as phishing and social engineering.These recent victims are not alone. A new report by IBM revealed that identity-based cyberattacks have become the top global cybercrime attack vector, making it the biggest risk for enterprises. Specifically, the report found a 71% rise in attacks using valid login credentials.It’s time for organizations to make identity and access a top priority (again). Let’s examine recent identity-based cyberattacks and the advanced security measures that organizations can implement to combat this specific threat.

Recent Identity-based Cyberattacks

Here is a high-level overview of a few recent cybersecurity breaches and how they emphasize the need for stronger security methods in cloud computing.

  • Snowflake – In late May, Snowflake, a leading cloud-based data storage and analytics platform, confirmed that some level of access to their cloud systems was obtained by threat actors using the stolen credentials of a former employee who had access to demo accounts. These accounts were not protected by multifactor authentication (MFA), which is why they were most likely targeted as the weak link to gain access. Once in, cybercriminals went to work stealing a significant volume of data from hundreds of Snowflake cloud storage customers. This incident has now been linked to the massive data breaches suffered by Ticketmaster and Santander Bank.
  • Ticketmaster – Incidents like the Ticketmaster breach illustrate the potential scale of identity-based threats. In this instance, more than 560 million Ticketmaster users' personal and payment details were exposed from a database hosted by Snowflake. ShinyHunters, a criminal hacker group, stole 1.3TB of data and sold it to a hacking forum called Breach Forums for $500,000. Allegedly, the group has Ticketmaster customers’ full names, addresses, phone numbers, email addresses, order history, and ticket purchase details. As mentioned above, a non-MFA-enabled Snowflake cloud account led to the breach further highlighting third-party security risks.
  • Santander – Some breaches – like the Snowflake breach above – keep giving. Santander issued a breach notification letter noting a supply chain attack in which an unauthorized third party (ShinyHunters) accessed a Snowflake-hosted database containing sensitive customer information. Later, Santander determined data was stolen from its banks in Chile, Spain, and Uruguay. ShinyHunters then posted a sales ad for $2M for the database, which contains personal information of 30 million customers and employees, including 28 million credit card numbers and 6 million account numbers and balances.

What Organizations Can Do To Act

Snowflake is recommending all customers enforce MFA across all accounts, set up network policy rules to allow access to cloud environments only from pre-set trusted locations, and reset and rotate Snowflake credentials.While this may seem like sound advice, there are some inherent problems:

  • Not all MFA implementations are equal
  • You may or may not know if MFA is fully enabled throughout your organization
  • Users can – and do – bypass MFA

MFA is a great security practice, but on its own it’s not phishing-resistant (and of course neither are stand-alone credentials like passwords). In both cases, there is always a human element of intervention making it susceptible to phishing. When you ask a person to do something, like remember a password or enter a number into an authenticator app, it becomes an avenue that threat actors can exploit.

x.509 Certificates + FIDO = Phishing Resistant MFA

To protect against identity-related breaches, organizations must implement more advanced authentication methods including x.509 certificates (backed by PKI) and FIDO. These are the only two truly phishing-resistant solutions recognized by CISA in their MFA recommendations. Here’s a closer look at these two technologies, including how they work and why they are phishing resistant:

x.509 certificate example

x.509 Certificates – A phishing-resistant MFA approach that utilizes certificates to authenticate and gain access to computing resources. It uses a hardware token and a PIN, which provides an ATM-like experience that is intuitive and simple for users – requiring little-to-no training. An example of this x.509 certificate-based authentication is logging on to Windows or macOS machines or accessing applications such as Salesforce or Office 365. This mature technology is used today by many organizations with highly sensitive environments (think government and healthcare). It is supported by major operating systems, applications, and identity and access management (IAM) platforms including Entra ID, Ping, and Okta. Plus, by leveraging x.509 certificates instead of passwords, threat actors cannot launch phishing attacks on this authentication method.

FIDO – Established by the FIDO Alliance to develop standards for eliminating passwords, FIDO enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. Rather than rely on a user-generated password that can be easily compromised by threat actors, FIDO passkeys – which are expected to be the most advanced standard of passwordless authentication technology – use biometrics, like a fingerprint or facial recognition, to create a passkey that verifies the person who is authenticating is who they claim to be. This method proves to be not only secure, but also provides privacy, convenience, and scalability. With the human element of password creation eliminated, this authentication method also proves to be phishing resistant.Most organizations cannot use FIDO passkeys alone because they’re not supported on all web destinations or sites and because device and platform coverage for FIDO is still incomplete. x.509 certificates fill these gaps with “known” technology that also fits existing workflows.

Looking Ahead

As a whole, the shift to cloud platforms and services offers organizations many benefits, but it also poses significant risks without proper safeguards (as evidenced by the cloud-based breaches listed above). Breaches like this will continue at increasing rates if organizations don’t take action.To combat identity-based cyberattacks, it’s clear that organizations must swiftly adopt the advanced security measures of x.509 certificates alongside FIDO passkeys to ensure cloud systems' safety. While MFA helps and is a good first step, these more innovative security methods offer organizations the best protection by being unphishable.Request a demo to see how x.509 certificate authentication works firsthand. If you would like to discuss how to implement certificates and FIDO at your organization, please contact us to learn more.