Security leaders are concerned about attacks that leverage malware-exfiltrated authentication data, with 53% expressing extreme concern and less than 1% admitting they weren’t concerned at all, according to SpyCloud.
However, many still lack the necessary tools to investigate the security and organizational impact of these infections and effectively mitigate follow-on attacks – with 98% indicating better visibility into at-risk applications would significantly improve their security posture.
The struggle for IT security teams
While increased visibility into stolen authentication details for SSO and cloud-based applications ranks high, human behavior continues to plague IT security teams. The most overlooked entry points for malware include:
- 57% of organizations allow employees to sync browser data between personal and corporate devices – enabling threat actors to siphon employee credentials and other user authentication data through infected personal devices while remaining undetected.
- 54% of organizations struggle with shadow IT due to employees’ unsanctioned adoption of applications and systems – creating gaps not only in visibility but also in basic security controls and corporate policies.
- 36% of organizations allow unmanaged personal or shared devices to access business applications and systems – opening the door for devices lacking robust security measures to access sensitive data and resources and minimizing oversight security teams require for proper monitoring and remediation.
Seemingly innocuous actions like these can inadvertently expose organizations to malware and follow-on attacks including ransomware stemming from the stolen access details. According to the research, every infection exposes access to an average of 26 business applications.
“While most organizations understand the general and pervasive threat of malware, digital transformation and hybrid work models create a perfect environment for criminals to take advantage of hidden security gaps,” said Trevor Hilligoss, Director of Security Research at SpyCloud.
“Criminals are exploiting these vulnerabilities by taking advantage of lax cyber behaviors and deploying infostealers designed to swiftly exfiltrate access details beyond passwords. These days, authentication cookies that grant access to valid sessions are one of the most prized assets for perpetrating next-generation account takeover through session hijacking – bypassing passwords, passkeys, and even MFA,” added Hilligoss.
Malware infections
Detecting and acting on exposures quickly is critical to disrupting malicious actors attempting to harm the organization. Yet the survey revealed many are struggling with routine responses to malware infections: 27% don’t routinely review their application logs for signs of compromise, 36% don’t reset passwords for potentially exposed applications, and 39% don’t terminate session cookies at the sign of exposure.
Attacker dwell time has been growing according to recent research, providing malicious actors ample time to operationalize data exfiltrated by malware. Limited visibility hinders mean-time-to-discovery (MTTD) and mean-time-to-remediation (MTTR), which exacerbates risks to the business and drains resources.
“Breaking bad habits requires time and resources most organizations can’t afford and have a hard time finding in the first place. To reduce the risk created by unauthorized account access, infected devices and human error, they need a new approach for detecting and remediating malware. For many security teams, responding to infections is a machine-centric process that involves isolating and clearing the malware from the device. However, an identity-centric approach is more thorough as the ultimate goal is to better address the growing attack surface tied to an individual user that puts the business at risk,” Hilligoss explained.
Critical protection gap
In the first half of 2023, researchers found that 20% of all recaptured malware logs had an antivirus program installed at the time of successful malware execution. Not only did these solutions not prevent the attack, they also lack the automated ability to protect against any stolen data that can be used in the aftermath.
With this struggle for visibility and comprehensive response, there is a clear need for security teams to implement a more robust, identity-centric Post-Infection Remediation approach to disrupt criminals before they are able to use malware-exfiltrated data to further harm the business.
Key to this framework is augmenting existing malware infection response with steps to reset exposed credentials and invalidate active sessions compromised by infostealers.