Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
Change is Coming for MFA and Phishing Training in 2024
By Eric Skinner, VP of Market Strategy, Trend Micro
The arms race between network defenders and threat actors
will enter a dangerous new phase in 2024. As we approach a new year, all signs
point to a generative AI (GenAI) powered surge in highly convincing phishing
campaigns. And to those who believe that multi-factor authentication (MFA) will
be an effective bulwark against credential-stealing phishing campaigns: think
again.
Organizations will need a new plan to tackle phishing and
account takeover attempts in 2024. Fortunately, there are tools out there to
help fight back.
GenAI supercharges phishing
Phishing has long been a battleground between threat actors
and cybersecurity professionals. It remains a top threat vector because it
exploits the unpatchable critical asset at the heart of most organizations -
employees. But, in recent years, progress has been made through measures like
gamified user awareness programs and improved processes for reporting, as well
as improvements to email security filters.
GenAI is set to give criminals a major boost in 2024 by
bringing the ability to craft highly convincing phishing emails in any language
to anyone in the world - and thanks to advanced large language models (LLMs),
the value of phishing training as we know it could degrade substantially over
the next year. Phishing training ultimately benefits employees by helping them
recognize emails that appear suspicious, when GenAI works to make those emails
come off as trustworthy.
In 2023, Red team researchers have already demonstrated
how GenAI technology can enable threat actors to potentially save nearly two
days of work in crafting phishing campaigns. In the new year, organizations
should foresee a wave of GenAI-powered improvements to phishing campaigns
powered by either ad-hoc usage of commercial LLMs or more specialized LLMs
designed for malicious purposes.
MFA hits a roadblock
MFA has often been regarded as a powerful defense for
bolstering identity and access management (IAM). But history has shown that as
certain defenses become widespread, attackers invest more time and effort in
overcoming them - and that's happening more broadly with MFA now. We already
saw MFA fatigue attacks over the last few years where attacks bombarded targets
with MFA prompts, hoping the target would eventually accept the prompt. Now
"attacker in the middle" proxy tools like EvilProxy are starting to help
attackers get around MFA more quietly and effectively.
Tools like EvilProxy stow between the victim and a real
login page, transmitting requests and responses between the two. The user
thinks they're interacting with a legitimate provider, whilst the attacker is
able to view their username, password and - most importantly - MFA codes.
Developers of EvilProxy claim that the tool can help threat actors bypass
provider's such as Apple, Gmail, Facebook and Microsoft's login security - and
to make matters worse, it's sold as a simple service, lowering the barrier to
entry even further for budding fraudsters.
New year, new strategy
All of this is a wake-up call for IT and security managers.
More comprehensive anti-phishing training will need to be implemented and
prioritized in 2024.
Organizations can't solely rely on automated tooling to make
effective change. Scanning for malware attachments at an email security gateway
is no longer enough and modern email security tools need to perform a range of
sophisticated analyses that can investigate links using computer vision AI
techniques to detect fraudulent phishing pages. Employees will need to learn
new methods to detect phishing emails: recognizing safe URLs and login pages
will become more important than spotting grammatical errors or strange
vocabulary.
Organizations must also implement a better way to flag
"attacker in the middle" proxy attacks. One option is to use an extended
detection and response (XDR) platform that is trained to understand normal
behavior so it can better spot suspicious activity. For example, an "attacker
in the middle" attack targeting MFA could result in multiple logins from the
same user at different geographical locations within an impossible timeframe.
That should trigger an automated detection and high-priority human review.
Enterprises should also consider upgrading MFA to use
proxy-resistant FIDO2-compliant approaches. This could include using hardware
devices like Yubikey tokens, Google Titan security keys, or a hardware-free
approach such as passkeys, which are supported by organizations like Microsoft,
Google and Apple. Using public key cryptography enables users to login simply
via a fingerprint, face scan or screen lock. Although these tools are making
headway in the consumer space, there's also growing adoption within enterprise
IT thanks to support from IAM vendors like Okta.
In the new year, IT teams will need to decide whether to use
passkeys based on their risk appetite and security versus usability trade-offs.
But as it stands, 2024 could be the start of a change in how we defend against
phishing and account takeover attempts.
##
ABOUT THE AUTHOR
Eric Skinner, VP of
Market Strategy, Trend Micro
Eric Skinner is the Vice President of Market Strategy and
Corporate Development at Trend Micro-a global leader in cloud and enterprise
cybersecurity. In his 10 years with the company, Skinner has developed a
detailed understanding of and passion for global security concerns, especially
as they relate to digital identity, data protection and cyber threats. Skinner
provides a unique focus on advanced threat detection, endpoint and mobile
security, detection and response approaches, machine learning, and identity and
authentication technologies.