Stop stealthy hackers where other security systems can’t
Attackers go around compliance-recommended tools like MFA, EDR to gain unauthorized access to corporate and customer data
Defense against increasingly sophisticated cyberattacks is now the baseline for CISOs to protect business data:
- Sophos says 95% of attacks in H1 2023 were ransomware installed through remote desktop hacks, an increase from 2022’s previous all-time high of 88% of attacks.
- HYPER says that of all the financial institutions surveyed 94% suffered some kind of cyber threat within the survey’s twelve-month range, with phishing being the most prominent method of attack.
- IBM says that over 90% of successful cyber attacks originate with endpoints.
Organizations in the critical infrastructure sector are particularly at risk:
- A 2022 Waterfall Security report states that a 140% surge in cyberattacks against industrial operations resulted in more than 150 incidents: “At this rate of growth, we expect cyberattacks to shut down 15,000 industrial sites in 2027, that is: in less than five years.”
- On January 29, 2024 Forescout Research – Vedere Labs reported that the world’s critical infrastructure suffered 13 cyber attacks every second in 2023.
- On January 31, 2024 FBI Director Christopher Wray warned about the growing threat of Chinese cyberattacks against U.S. critical infrastructure
Cyber attackers go for low hanging fruit by using stolen credentials, phishing attacks or hijacked employee connections to gain unauthorized access to networks and data because it works so well. End user attacks are a much easier route to critical business data than the more laborious work of finding a misconfiguration in a cloud security device to exploit, for example. Attackers work together and have marketplaces for malware targeting end users and endpoints already built.
One of the main reasons attackers are so successful with endpoint attacks is because MFA and other authentication controls are one and done. Businesses use a single-point approach to authenticate users before gaining access to an account or system. But what if that system has become compromised during the legitimate users’ session?
With all of these successful cyber attacks originating with endpoints that go around compliance recommended tools, how can CISOs and security leads protect their businesses from the huge ransomware, phishing and social engineering endpoint threat vector?
Stopping attackers that have gained unauthorized access to your network is possible by continuous authentication with cryptographic attestation to continuously confirm that the individual typing is who they say they are, and not an attacker. Continuous authentication validates user intent which can be tied to physical user input that attackers can’t replicate.
Cryptographic attestation assigns a cryptographic signature to every physical input made by the user. These signatures allow for real-time identity verification: the keystroke or mouse click was verifiably made on the device that had the corresponding private key.
Even if a hacker with backdoor access to a compromised device attempts to use it to move laterally to another privileged device, their lack of attested signatures to simulate such a user intention will immediately freeze them in place and your security monitoring tools will flag it. As long as the device has not been physically compromised, this highly-secure experience is seamless to the user.
What The CISO of Uber Found Out About MFA in 2022
Let’s look at what happened to Uber CISO Latha Maripuri’s network when another massive data breach happened to Uber in 2022. Unlike the Uber 2016 breach where 57 million Uber app users had their names, email addresses and phone numbers stolen and sold on the black market, this time nothing was stolen.
But that’s no consolation since this attack used stolen credentials and a successful phishing link to bypass endpoint security and 2FA controls, which means it can happen again.
Uber had 2FA in place on employee’s accounts to gain access to their network, which stopped the next part of the attack. Until the attacker persisted as an imposter on Uber’s security team and sent the employee a barrage of MFA notifications to approve the request, which he did and granted the attacker access to the network.
The attacker did what CISO’s are most concerned about when millions of credentials are stolen from corporations as we’ve seen in breach after breach, year after year. He acquired an Uber employee’s stolen phone number, sent him phishing links to get his credentials and it worked.
So Latha Maripuri had the right tools in place, but not the right tools to prevent a common attack that is challenging for every CISO, even though she probably met all industry compliance guidelines as a public company.
How Attackers Bypass MFA, Authentication and Endpoint Security
All of the millions of stolen credentials and black markets for cyber theft scripts and ransomware make it easier to bypass endpoint security and access controls. Are you ready for these kinds of endpoint attacks that bypass MFA, endpoint security and access controls even with compliance recommended technology in place?
Phishing. Malicious emails and texts that look legitimate have embedded links that redirect their login authentication credentials to malware command and control websites which are downloaded and stored for the attacker to use to gain unauthorized access to a network or data.
Spear phishing. Spear phishing is a highly targeted form of cyberattack where the attacker masquerades as someone you know, trust, or should trust. They’ve done their homework, and they often impersonate colleagues, bosses, friends, or trusted institutions which makes them look legitimate. Once they trick the user, they use the same method as above where traffic is redirected to a malicious website without the user realizing it which facilitates an attack.
Social Engineering. This type of attack tricks a user into giving away their login or other credentials to gain access to an account. Attackers need information about a user to figure out passwords, etc so they use information they’ve gathered from a person’s social media sites and reach out to them as a person they know due to the detailed information they provide and steal their credentials.
Password reset. When you forget your password, a password reset token is sent, but this is also a very easy method attackers exploit to gain unauthorized access to data or a network. Unsecured platforms allow users (and attackers) to access networks and data after completing a password reset without additional verification.
Man-in-the-middle Attacks. Malware is used to lift cookie session data like userids and passwords which the attacker then uses to login as that user, bypassing all security tools. Cookies also track activity which can be used by the attacker once they’re on the network.
These attacks work because traditional authentication methods fail to distinguish between an ordinary user and one who is harboring an imposter on their computer. Access control tools have no way to detect that there’s an attacker on the network after the original login control was bypassed.
With continuous authentication with cryptographic attestation, as the user interacts with a platform, system interface, etc., their actions are constantly compared against the referencing factor, i.e., biometrics, IP address, passwords, etc.
If the system detects any suspicious activities, such as unusually fast typing or login attempts from an unfamiliar location, it can trigger additional verification measures, such as multi-factor-authentication of the user’s identity or automatic session termination to avoid unauthorized access.
Have You Identified Your Endpoint Security And Access Control Unmanaged Attack Surface Causing Compliance Gaps?
Regulatory compliance body standards, such as NIST (National Institute of Standards and Technology), the EU NIS2 Directive, SOC2 and others provide guidance for best practices to secure all parts of business networks to prevent cyber attacks. Some industries like CNI (critical national infrastructure) and Financial Services are required to comply with compliance frameworks by law.
If you’re using NIST 800-53 or SOC2 for example, as guides for cybersecurity measures a gap analysis will determine what components you’re missing to meet their compliance requirements. Compliance best practices can help uncover and remediate your endpoint and critical infrastructure vulnerabilities.
The NIST cybersecurity framework lists steps organizations can take to protect all different components of their networks to prevent unauthorized access to business data. For example, these are a few steps to manage authentication and authorization to business critical systems:
| How Keystrike Fits Into The NIST Security Compliance Stack | |
| Examples of NIST Endpoint and Access Control Regulatory Compliance Controls | Keystrike closes security gaps by stopping attacks with continuous authentication with cryptographic attestation |
| Security Continuous Monitoring CM-CS-9 The Company endpoints are monitored to detect malicious code and detect threat activity. | ✔️ |
| Security Continuous Monitoring CM-CS-4 Monitoring for unauthorized connections devices and software is performed. | ✔️ |
| Identity Management and Access Controls AC-CS-6 The Company enforces security requirements for Organizational User accounts and credentials that are managed by an Enterprise Directory Service. | ✔️ |
| Threat Detection TD-CS-2 The Threat Intelligence team sources and provides actionable threat information such as indicators of compromise to relevant parties to enable monitoring for cyber threats. | ✔️ |
Identity Management and Access Controls AC-CS-6 The Company enforces security requirements for Organizational User accounts and credentials that are managed by an Enterprise Directory Service.
The European Union’s NIS2 Directive 2022/2555 was introduced to define strict cybersecurity requirements for organizations considered “critical infrastructure”. This mandate states:
“Organizations are required to implement appropriate and proportionate technical, operational, and organizational safeguards to manage and mitigate risks on network and information systems. NIS2 recommends that organizations take an “all-hazards” approach and be prepared for a full spectrum of incidents and emergencies, both from cyber and physical sources, as spelled out in the documentation.”
Fines for insufficiently protected networks are steep and can range in the tens of millions of dollars for a large organization that does not comply with regulations if it suffers a preventable customer or other data loss or critical infrastructure service disruptions.
Are there NIST, NIS2, SOC2 or GDPR compliance gaps in your endpoint security and access control tools? Have compliance audits revealed unmanaged endpoint and access control threat vectors? Evaluating endpoint security and access controls against regulatory compliance guidelines is a great place to start to uncover unmanaged threat vectors.
Close access control and end user compliance gaps with continuous authentication with cryptographic attestation to verify a user’s identity in real-time and prevent ransomware, spear phishing and spoofing attacks. By monitoring things like keystrokes, mouse movements, typing speed, and touch patterns, as well as in device-related characteristics such as IP address, location, and device type, continuous authentication with cryptographic attestation makes sure an attacker hasn’t taken over a legitimate user’s session.
Ransomware, advanced malware, Remote Desktop Protocol (RDP) attacks, credential compromise, take-over of the login session by stealing a token or a cookie, and compromised devices can be detected and mitigated, eliminating endpoint attacks – the largest and most challenging threat vector.
Critical Infrastructure Regulatory Compliance Requirements Gaps Are A Particularly Big Problem
The Critical National Infrastructure industry (CNI) is particularly vulnerable to cyber attacks because of legacy systems that are challenging to secure and increasing targeted attacks by cyber criminals looking to disrupt services like energy and transportation. Ransomware, supply-chain and remote access threats are all major challenges for critical infrastructure organizations.
A 2022 Waterfall Security report says that the surge in cyberattacks against industrial operations grew by 140% and resulted in more than 150 incidents: “At this rate of growth, we expect cyberattacks to shut down 15,000 industrial sites in 2027, that is: in less than five years.”
So what are CNI organizations supposed to do to avoid service disruptions and major fines if attackers are still getting through compliance mandated technology? Compliance gap analysis measures effectiveness of security infrastructure in preventing and remediating threats in these areas:
Tighten Up Access Control. Restricting user access to sensitive corporate and customer assets is a great place to tighten up strong authentication controls. But many organizations have a very difficult time with this at the asset level due to highly siloed business functions. And holes need to be poked to allow for some access. For example, a supplier or contractor may need to be able to access sensitive systems to service or update them.
Implement Multi-Factor Authentication. As we saw in the Uber breach above, the CISO had implemented MFA but it was ultimately ineffective and the controls didn’t work. The attacker persisted using a spoofed IT Security account and persuaded the Uber employee to authorize the MFA control which they did, allowing the attacker onto the network.
Go one step further and implement continuous authentication with cryptographic attestation. Preventing ransomware, AI and phishing attacks from compromised endpoints is possible. Continuous authentication with cryptographic attestation continuously confirms that the individual typing is who they say they are, and verifies a user’s identity in real-time before accessing your network and date.
Things like keystroke, mouse movements, typing speed, and touch patterns, as well as in device-related characteristics such as IP address, location, and device type are all aggregated to know with certainty if the user accessing data is who they say they are, and not an attacker that has bypassed endpoint and authorization controls.
You Can Stop Ransomware, Phishing And Other Attacks Before They Do Damage
Here is some great news for CISOs and security leads everywhere: you can prevent ransomware, phishing and other attacks by powering your compliance controls with continuous authentication with cryptographic attestation across your endpoints.
If one of your employees or business partner accounts or sessions has been compromised, you can still prevent the attacker from going anywhere on your network and stealing your important corporate and customer data.
Ensure that every action taken by the user is uniquely tied to their identity and the physical device that they are using to prevent cyber attacks:
- Continuous Authentication with cryptographic attestation continually verifies a user’s identity throughout their session. Even if a session is compromised, continuous authentication can detect unusual behavior and prompt reauthentication, thwarting unauthorized access and sends a signal to system admins alerting them of a breach.
- Cryptographic attestation uses multiple factors to verify a user’s identity in real-time, ensuring that user actions are traceable to specific individuals. Continuous authentication validates user intent which can be tied to physical user input that attackers can’t replicate.
- Even if an employee falls prey to a phishing scam, the hacker would have to physically take charge of the keyboard in question in order to issue any commands. If it identifies something out of the ordinary, like a sudden change in typing speed or unfamiliar mouse movements, it can prompt additional verification or terminate the session to prevent unauthorized access.
- Cryptographic attestation works by assigning a cryptographic signature to every physical input made by the user for real-time identity verification. Keystrokes, mouse clicks, typing speed, and touch patterns, as well as in device-related characteristics such as IP address, location, and device type is verified to have been made on the device that had the corresponding private key. As users interact with a system or application, every keystroke signature tells system admins that this person typing on this particular device is exactly who they say they are.
- Spear phishing and other endpoint attacks can be stopped by stopping lateral movement. If a hacker has successfully phished an employee and makes a lateral movement, endpoint security and authentication controls don’t have any basis to know that it’s not legitimate behavior. But with continuous authentication, the attacker’s lack of attested signatures promptly freezes them from moving laterally through a system.
In contrast to traditional authentication methods that require users to regularly authenticate themselves causing numerous disruptions throughout a workday, continuous authentication with cryptographic attestation constantly monitors user actions, ensuring a constant measure of security.
Keystrike’s Continuous Authentication With Cryptographic Attestation Stops Attacks That Originate From Endpoints
Keystrike’s continuous authentication with cryptographic attestations stops attacks from compromised end user devices and advanced targeted attacks. With Keystrike, businesses can protect their data and prevent attacks across the huge endpoint attack surface that currently has no effective way to stop malware that has bypassed endpoint security and authentication controls.
Continuous authentication continually verifies a user’s identity throughout their session. Even if a session is compromised, continuous authentication can detect unusual behavior and prompt reauthentication, thwarting unauthorized access. Even if the hacker breaks past strong security controls, there are systems in place to stop the attack.
Cryptographic attestation makes sure that user actions are traceable to specific individuals, so even if an employee falls prey to a phishing scam, the hacker would have to physically take charge of the keyboard in question in order to issue any commands.
Unlike traditional 2FA and biometrics, which often introduce delays and interrupts user workflows, continuous authentication with cryptographic attestations work seamlessly in the background without requiring additional verification steps. Using these tools, an attacker’s keystrokes lack the cryptographic signatures verifying legitimate user intent and they can’t be authorized to move forward on the network. The hacker’s own keyboard is frozen, every keystroke sends a signal to system admins alerting them that they have a breach.
Critical infrastructure is a prime target for cyber attacks as the links at the top of this blog point out, like FBI director Christopher Wray’s warning on Jan. 31, 2024 about Chinese hackers aiming to ‘wreak havoc’ on U.S. critical infrastructure. With Keystrike solutions, the legacy system authentication threat vector can be solved, even with endless targeted attacks aimed at taking down global infrastructure services.
Keystrike solutions are an easy fit into your security and compliance environments:
- Works anywhere where remote access is required for large numbers of users with varied data access privileges.
- Keystrike integrates into existing security infrastructure: MFA, endpoint detection and response, continuous monitoring, threat detection and IAM.
- Solutions are extremely easy to set up: One line setup to group policy, and integration into executing an .xcl file – parameters specific to user, what server to contact and how.
- All alerts are high-quality, correlated, and malicious activity can be blocked in-line.
- Integrates with EDR systems, continuous monitoring systems and compliance solutions like Qradar, Slack, Windows Defender.
- Keystrike cryptographically attests each physical mouse click and character typed on a keyboard, no machine learning.
- Keystrike compliments others controls by certifying “good behavior” instead of trying to infer “bad behavior”.
- After authentication, Keystrike protects the entire user session, continuously ensuring that all input was made by an authorized party.
- Provides a seamless and robust protection businesses need by verifying identity in real-time without compromising user experience.
- When business partner suppliers or contractors holes need to be poked to allow for network access, Keystrike Sanctum Guard offers Remote Desktop support to jump boxes that seal these holes.