Sectigo CSO & CISO Advisor David Mahdi gives advice on how identity-first security helps prevent no-click malware attacks from succeeding.
As if enterprise security professionals weren’t busy enough guarding against a constant flurry of brazen cyber threats – see the recent
No-click or zero-click exploits don’t use social engineering tactics. Instead, they infect devices and machines without any user interaction. Typically these kinds of attacks take advantage of vulnerabilities within a system that passively receives and then processes messages.
Essentially, a zero-click attack looks like this: an attacker sends harmful code via a messaging app to a target. Some examples of this attack don’t show up at all in the messaging system, but those that do will usually look innocuous. The person using the device won’t know they are being attacked. The typical goal of the attacker is to install ‘spy’ software on the target device. The longer-term downside for the attacker is that these kinds of attacks are best only against very specific targets and will usually lead to the discovery or ‘burn’ of their attack. Once the vulnerability is discovered and patched, the attacker will need to come up with another novel approach.
This makes no-click malware a more insidious threat than, say, the unsolicited phishing email that arrives in an inbox promising great wealth with just a click on the link in the message or double-click of the attachment included.
Famously, no-click malware has been the mechanism used to deliver the
Malware, in the past known as “computer viruses,” has been around for a while, and they are here to stay. Over time malware evolves, aiming to take advantage of new vulnerabilities and vectors to leverage for attack. Some interesting solutions to tackle emerging malware threats like no-click attacks have come and gone, but there has always been a “whack-a-mole” aspect to fighting malware. While some techniques that makeup endpoint security, and XDR, are good best practices that help in the fight, security leaders must also think about the digital trust and identity-first security angle.
So, what does an identity-first security approach look like? It starts with the popular zero-trust framework centered around digital identities and strong authentication in which trust in humans and machines is never implicit. The end goal for enterprises is establishing and maintaining digital trust, the cornerstone of securely conducting digital business today.
In short, digital trust involves taking a zero-trust approach, and then establishing and maintaining digital trust with a solid identity-first security framework deeply rooted in cryptography.
An identity-first security approach verifies and authenticates digital identities not just for humans, but for the non-humans or machines they interact with in the digital world. The term “machines” as used here comprises devices (laptops, desktops, mobile phones, tablets, IoT devices, etc.) as well as software (websites, mobile apps, workloads, virtual machines, containers, and so on). This is crucial, because malware of any kind – the traditional “clickable” version, or the “no click” version – needs to be run and executed on the targeted computing platform (i.e., desktops, laptops, tablets, etc.) to perform its malicious function.
In a zero trust and identity-first framework, all computing platforms will require software wanting to run on the targeted platform to “authenticate.” In this scenario, all software, legitimate or otherwise must be “trusted” to execute.
This isn’t a new concept. Consider
So, how best to get started with this comprehensive identity-first security approach to fight no-click attacks? Enterprises should implement public key infrastructure (PKI) digital certificates because they are the proven approach for securing and authenticating all digital identities. They also establish and maintain digital trust beyond the firewalled network architecture.
Furthermore, these certificates need to be managed at scale, particularly given the explosion of identities and devices that enterprises now need to manage.
Automated Certificate Lifecycle Management (CLM) is key here, successfully streamlining the issuance, renewal, governance, and management of any certificates. By efficiently managing the lifecycles of public and private certificates, enterprises can better secure every human and machine identity across their organizations and ensure nothing “falls through the cracks” and becomes a security gap that bad actors can exploit with no-click malware.
Enterprises put considerable time and resources towards authenticating humans with biometrics and other passwordless techniques – but authenticating software and machines is also vital, particularly in a world facing the threat of no-click malware. Good machine identity management with digital trust as the goal helps in this fight. While IT leaders can’t prevent the emergence of new forms of malware, they can ensure that they are successfully prepared to manage the risk around it with identity-first security as the threat landscape continues to evolve.
Lead image source.