The Future of Identity Security: Lessons from the Change Health Breach
Published 07/29/2024
Originally published by Oasis Security.
UnitedHealth Group confirmed that in February, the BlackCat/ALPHV ransomware group breached Change Healthcare by exploiting compromised credentials for a Citrix remote access portal that lacked multi-factor authentication (MFA).
"On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later," UnitedHealth Group declared in the prepared statement.
UnitedHealth Group CEO Andrew Witty confirmed that the company paid a $22 million ransom. “The decision to pay a ransom was mine,” Witty said. “This was one of the hardest decisions I’ve ever had to make, and I wouldn’t wish it on anyone.”
Change Healthcare's payment of $22 million into a ransomware gang, following a crippling attacks on numerous healthcare entities nationwide, not only established one of the largest ransomware payment precedents but also triggered a vicious cycle, encouraging a surge of new cyber attacks on similarly vulnerable targets across the US healthcare system.
The Importance of MFA in Securing Identities
This recent breach at Change Health serves as a stark reminder of the evolving threat landscape in the digital age. As cyber attackers become more sophisticated, the focus has increasingly shifted towards identity-centered breaches. This incident underscores the urgent need for robust Multi-Factor Authentication (MFA) and a comprehensive strategy to secure both human and non-human identities. In a time where organizations often have 50 times more non-human identities than human ones, it's time for a paradigm shift in our approach to identity security.
MFA has long been recognized as a critical component in securing human identities. By requiring users to provide two or more verification factors, MFA significantly reduces the risk of unauthorized access due to compromised credentials.
The benefits of MFA include:
Enhanced Security: Adding an extra layer of security makes it significantly harder for attackers to gain access to sensitive information.
Compliance: Many regulatory frameworks mandate the use of MFA to protect sensitive data.
Trust and Confidence: MFA helps build trust with customers and partners by demonstrating a commitment to security.
MFA alone is not enough
However, while MFA is essential, it is not a magic pill. The breach at Change Health highlights that securing human identities alone is insufficient. The broader and more complex challenge lies in protecting the entire identity fabric, which includes a vast array of non-human identities.
Non-human identities, such as service accounts, APIs, and tokens, play a crucial role in modern IT environments and now constitute the bulk of the identity fabric outnumbering human identities by 10x-50x. These identities often have access to sensitive data and critical systems, making them attractive targets for attackers.
Non-human identities, however, can’t be protected with MFA making them a primary target for undetected lateral movement and access to critical data sources
The challenge in securing non-human identities arises from several factors:
Scale: Organizations typically have exponentially more non-human identities than human ones. Managing and securing such a large number of identities is inherently more operational complex and time consuming without the proper automation
Lack of MFA protection: Non-human identities are associated with resources and programs, not a human. As a result they can’t leverage MFA to limit the potential blast radius of an attack. NHIs leverage a wide spectrum of authentication methods, such as certificates, tokens, keys and secrets, which are difficult to efficiently to rotate and decommission at scale due to their sensitive nature. .
No authoritative source: Non-human identities are created by multiple stakeholders for various purposes across the company's infrastructure. This decentralization adds complexity to identity management and makes it challenging to ensure consistent security practices. It complicates ownership assignment, which eventually hinders the remediation process for non-human identity-related violations. Attempting to rotate a credential without proper context of usage and ownership is nearly impossible and prone to disrupting critical business workflows.
Highly Dynamic: Non-human identities are often created, modified, and deleted dynamically, making it difficult to maintain an accurate inventory, understand who owns them, and apply consistent security policies.
The Paradigm Shift: Securing the Entire Identity Fabric
To address the growing risk of identity-centered breaches, the security market must undergo a paradigm shift. Organizations need to recognize that protecting their identity fabric ( human and non human identities) requires a comprehensive and integrated approach that includes:
Recognizing Non-Human Identities as Targets: Hackers are increasingly targeting non-human identities as their "golden ticket" for successful breaches. Identity teams must not only bridge the gap in their identity security posture but also take a leading role in understanding that identities have become the new security perimeter, and the attack surface is larger than perceived.
Adopting dedicated Solutions for Non-Human Identity Challenges: Traditional identity access management solutions weren't designed to handle the complexities of non-human identities. We require dedicated solutions tailored to address these challenges effectively. These solutions should support various critical capabilities and ecosystem requirements. To tackle issues like the absence of MFA and the lack of contextual visibility, an NHIM solution should include automated secret rotation functionality.
Leveraging Automation at scale: Given the large number and dynamic nature of non-human identities, automation is essential across their lifecycle—from provisioning to rotation and decommissioning. Human processes are prone to errors and can lead to misconfigurations, especially considering the high privileges granted to non-human identities for performing their business-critical tasks. Therefore, there is no room for mistakes.
The breach at Change Health is a wake-up call for organizations to rethink their approach to identity security. While MFA remains a cornerstone of securing human identities, it is clear that a broader and more complex challenge exists in protecting non-human identities. By adopting a unified and integrated approach to identity management, organizations can better defend against identity-centered breaches and safeguard their critical assets. The time to act is now, and the path forward requires a comprehensive strategy that addresses the unique challenges of both human and non-human identities.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024