Changes to the cybersecurity threat landscape are constant and dynamic: threat actor groups come and go, alter tactics, techniques and procedures (TTPs) and adjust to new defensive mechanisms. Over time, both cyber criminal gangs and nation-state actors endure arrests and swap individuals in what can appear to be an ongoing arms race between good and evil.
Occasionally, new technologies have the power to shift the threat landscape in a dramatic fashion. When these shifts occur in favor of the defender, they provide confidence that progress is on the side of the defenders. X-Force data shows the early signs of one of these dramatic shifts right now, as more organizations implement multifactor authentication (MFA). A shift in how attackers gain an initial foothold in organizations may prove that MFA is forcing more threat actors to abandon using stolen credentials to gain unauthorized access into systems.
X-Force incident response data from 2020 reveals a significant decrease in business email compromise (BEC) attacks and attackers’ use of credential theft or brute force as an initial infection vector. For attackers that rely on stolen credentials, MFA is now creating effective barriers to success, and X-Force has observed cases in which threat actors immediately abandoned operations after encountering an MFA prompt.
Is MFA the end-all? Obviously, attacker skill and motivations play a major role in how they approach intrusion and account takeover — including methods for circumventing MFA — but for the attackers who cannot tackle MFA, we could be looking at the beginning of a new era.
Business email compromise attacks are down
One of the symptoms X-Force correlated with an increase in clients’ implementation of MFA is a 38% drop in BEC attacks between 2019 and 2020. BEC attacks accounted for only 9% of all attacks observed by X-Force in 2020, compared to 14% of all attacks in 2019. This trend is good news, as BEC attacks have siphoned billions of dollars out of organizations worldwide, right into the hands of attackers.
Figure 1: Percentage of BEC attacks year-over-year from X-Force data, 2019-2020 (Source: X-Force)
X-Force is certainly not the only organization watching BEC attacks. The FBI, which tracks these attacks based on victim complaints, noted a 19% decrease in the number of BEC complaints in 2020. In fact, the number of FBI complaints in 2020 (19,369) was at its lowest in three years, compared to 23,775 complaints in 2019 and 20,373 complaints reported in 2018.
Figure 2: Number of BEC complaints per year according to FBI data, 2017-2020 (Source: FBI IC3)
Cyber criminals are known for choosing the path of least resistance. Some analysts suggest that traditional BEC actors are resorting to other types of fraud, such as unemployment-related scams, particularly during the COVID-19 pandemic. In the U.S. alone, scams of this type amounted to over $36 billion in CARES Act relief money. WIRED magazine in May 2020 found that Scattered Canary, a cyber crime gang traditionally associated with BEC attacks, had turned to scamming unemployment benefits programs.
Credential theft and brute force as attack vectors also down
In addition to the decline in BEC attacks, credential theft as a method for gaining initial access to a network decreased significantly from 2019 to 2020.
Figure 3: Top infection vectors as a percentage of the total observed by X-Force, 2019-2020
In 2019, credential theft was one of the top three infection vectors X-Force observed, holding fairly close parity with phishing and scan and exploit at 29% of all attacks. However, in 2020 those numbers shrank to only 18%, underscoring how use of stolen credentials to gain initial access to networks is losing ground.
Similarly, brute-force attacks decreased from 6% of attacks in 2019 to only 4% in 2020, an appreciable drop. From these numbers, it is obvious that threat actors are finding password guessing and password stealing to be increasingly unreliable methods of entry into networks.
X-Force analysts judge that MFA played a role in this significant decrease, as threat actors are more frequently running into MFA barriers and are unable to find workarounds. Although some threat actors are attempting to circumvent MFA — especially BEC actors because stolen credentials are central to their attack plan — many other actors are opting to use other methods of entry, such as scanning for and exploiting vulnerabilities or using phishing emails.
How can we know if multifactor authentication is the cause?
Is an ongoing increase in MFA rollout impacting attack tactics? Several factors have the potential to lead to changes in attack TTPs over time. In addition to MFA, some researchers have pointed to better email security software solutions, underreporting due to COVID-19 and arrests of BEC attackers as additional explanations for attack technique fluctuations X-Force has observed. While all of these explanations have merit, none of them is anchored in supporting data.
Email software security solutions can be a powerful tool against malicious phishing messages seeking to steal credentials and take over business email accounts. X-Force frequently recommends that clients explore this solution to decrease risk exposure to phishing attacks. While software solutions are likely contributing to the decrease in BEC attacks, this explanation has less power when explaining the accompanying drop in the use of stolen credentials and brute-force attacks X-Force has observed in real-world attacks.
There are a variety of methods for obtaining stolen credentials, from purchases on the dark web to watering hole attacks, and brute force or guessing passwords requires few to no additional resources. Yet even these attack types — separate from email compromise — are decreasing, suggesting MFA is the common cause explaining all three.
Other security researchers have suggested that fewer organizations reached out for help with BEC incidents due to resource constraints associated with the COVID-19 pandemic in 2020, thus leading to underreporting last year. However, X-Force, in the first quarter of 2020, saw 60% fewer BEC attacks than in the first quarter of 2019, suggesting that these attacks were decreasing even before the pandemic fully affected organizations worldwide.
Some have speculated that arrests of BEC attackers have contributed to the decrease in this attack type. Publicized arrests in August and November 2020 are encouraging, but the FBI estimates that hundreds of thousands of BEC attackers remain at large.
X-Force incident response data provides the strongest backing for MFA as an explanation for the shift in attacker TTPs. In nearly all of the BEC attacks observed by X-Force in 2019 and 2020 where attackers were successful, MFA was not enabled. In addition, in most of the cases where X-Force has observed attackers attempting to circumvent MFA, the attack is an attempted BEC attack — suggesting that BEC attackers are fighting to find a way around BEC controls.
More than once, BEC attackers have been able to trick users with mobile-based MFA applications to accidentally tap ‘yes’ to provide them access. In other cases where MFA was enabled, an investigation revealed that the attackers used typo-squatted email addresses to masquerade as trusted users rather than compromising accounts directly.
The growing power of multifactor authentication
The MFA market is expected to register a compound annual growth rate of 15.2% over the forecast period of 2019-2024, according to Research and Markets. Research suggests that the number of organizations implementing MFA is increasing, especially among small and mid-sized organizations. A KnowB4 survey from 2017 found that 62% of small and mid-sized organizations did not implement MFA (suggesting that 38% did), and a 2020 Gartner study estimates that by 2023, 80% of small to medium-sized business will implement MFA, a trend probably accelerated by COVID-19 and work-from-home policies. In addition, IBM’s observations indicate that users appear to be increasingly tolerant of MFA prompts, particularly with the advent of frictionless technologies such as adaptive access. For some sensitive accounts such as banking, users are even demanding MFA as an increased layer of protection.
These numbers are translating into the actual change that MFA was created to bring on. X-Force threat intelligence data and analysts’ observation of advanced threat actor TTPs yield insight into how MFA cybersecurity is creating effective barriers for attackers and forcing them to adjust their strategies or even shift to different forms of cyber crime altogether.
In July 2020, X-Force published an analysis of Iranian threat group ITG18, which accidentally leaked hours of the group’s training videos, providing insight into how they conduct account takeover operations. When the malicious operators used stolen or guessed credentials to successfully authenticate against a site set up with MFA, they immediately moved on to the next website without further attempts to gain access.
Of the attackers who successfully circumvent MFA or attempt to circumvent MFA, BEC attackers are the ones X-Force has observed the most. Currently, however, they appear to be in a losing battle, as incidents of MFA circumvention are few and far between and in many cases require significant time, effort and social engineering to accomplish.
Other researchers agree that MFA is a powerful tool in stopping threat actor activity. At the RSA conference in 2020, Microsoft reported that 99.9% of all compromised accounts it tracked did not use MFA, suggesting that MFA implementation can dramatically decrease the occurrence of compromised accounts. In addition, Google’s security team has claimed that MFA can prevent more than 95% of general phishing attempts and 75% of targeted attacks.
Now more than ever: Implement multifactor authentication
The COVID-induced work-from-home era has sent billions of employees to work outside of their organizations’ protected environments. It has increased the already elevated use of personal devices and turned company-issued equipment into high-risk devices connecting from unsecured networks all over the world. Rolling out stronger authentication requirements should be on every security executive’s urgent projects list.
Organizations already successful in MFA implementation appear to be altering the threat landscape — likely causing a decrease in the number of successful BEC, credential theft and brute-force attacks the X-Force incident response team has observed between 2019 and 2020.
In the past, the modification of defense tactics necessarily impacted the threat landscape with a shift in attack tactics. One example is the implementation of chip and PIN security on payment cards. By thwarting attacks on physical cards, attackers moved to card-not-present fraud. Where will attackers go next? X-Force data suggests that attackers are now turning to vulnerability exploitation as an alternate avenue of entry.
There are a variety of methods and technologies available for implementing MFA. Many applications have an MFA option built-in, requiring only enablement by the organization using it. In addition, with IBM Security, you can explore MFA for on-premises and for cloud assets. IBM Security provides maximum flexibility for any size organization going through a digital transformation and living in a multicloud hybrid world by providing MFA or adaptive MFA capabilities to any application, regardless of where it resides.
To learn more, check out our blog series on Consumer Identity and Access Management (CIAM).
In addition, you can read more about IBM Cloud App ID, Cloud Pak for Security and on-prem identity and access management solutions.