No-Click Malware Is Here: Why Enterprises Must Prioritize Identity-First Security

Written by davidmahdi | Published 2022/11/17
Tech Story Tags: cybersecurity | malware | phishing | digital-identity | digitaltrust | zero-trust | cryptography | security

TLDRNo-click or zero-click exploits don’t use social engineering tactics. Instead, they infect devices and machines without any user interaction. These kinds of attacks take advantage of vulnerabilities within a system that passively receives and then processes messages. The attacker is best only against very specific targets and will usually lead to the discovery or ‘burn’ of their attack. Security leaders must also think about the digital trust and identity-first security angle. The end goal for enterprises is establishing and maintaining digital trust, the cornerstone of securely conducting digital business.via the TL;DR App

Sectigo CSO & CISO Advisor David Mahdi gives advice on how identity-first security helps prevent no-click malware attacks from succeeding.

As if enterprise security professionals weren’t busy enough guarding against a constant flurry of brazen cyber threats – see the recent successful ransomware attack against the Costa Rican government, for example – they are now being told to harden their environments to protect against a dangerous and increasingly common hazard: no-click malware.

No-click or zero-click exploits don’t use social engineering tactics. Instead, they infect devices and machines without any user interaction. Typically these kinds of attacks take advantage of vulnerabilities within a system that passively receives and then processes messages.

Essentially, a zero-click attack looks like this: an attacker sends harmful code via a messaging app to a target. Some examples of this attack don’t show up at all in the messaging system, but those that do will usually look innocuous. The person using the device won’t know they are being attacked. The typical goal of the attacker is to install ‘spy’ software on the target device. The longer-term downside for the attacker is that these kinds of attacks are best only against very specific targets and will usually lead to the discovery or ‘burn’ of their attack. Once the vulnerability is discovered and patched, the attacker will need to come up with another novel approach.

This makes no-click malware a more insidious threat than, say, the unsolicited phishing email that arrives in an inbox promising great wealth with just a click on the link in the message or double-click of the attachment included.

Famously, no-click malware has been the mechanism used to deliver the NSO Group’s Pegasus spyware into the mobile devices of unsuspecting targets in recent years – all without them knowing an attack has successfully taken place.

Malware, in the past known as “computer viruses,” has been around for a while, and they are here to stay. Over time malware evolves, aiming to take advantage of new vulnerabilities and vectors to leverage for attack. Some interesting solutions to tackle emerging malware threats like no-click attacks have come and gone, but there has always been a “whack-a-mole” aspect to fighting malware. While some techniques that makeup endpoint security, and XDR, are good best practices that help in the fight, security leaders must also think about the digital trust and identity-first security angle.

Digital trust is the goal

So, what does an identity-first security approach look like? It starts with the popular zero-trust framework centered around digital identities and strong authentication in which trust in humans and machines is never implicit. The end goal for enterprises is establishing and maintaining digital trust, the cornerstone of securely conducting digital business today.

In short, digital trust involves taking a zero-trust approach, and then establishing and maintaining digital trust with a solid identity-first security framework deeply rooted in cryptography.

An identity-first security approach verifies and authenticates digital identities not just for humans, but for the non-humans or machines they interact with in the digital world. The term “machines” as used here comprises devices (laptops, desktops, mobile phones, tablets, IoT devices, etc.) as well as software (websites, mobile apps, workloads, virtual machines, containers, and so on). This is crucial, because malware of any kind – the traditional “clickable” version, or the “no click” version – needs to be run and executed on the targeted computing platform (i.e., desktops, laptops, tablets, etc.) to perform its malicious function.

In a zero trust and identity-first framework, all computing platforms will require software wanting to run on the targeted platform to “authenticate.” In this scenario, all software, legitimate or otherwise must be “trusted” to execute.

This isn’t a new concept. Consider Apple and its iOS ecosystem. All apps that are available for download on the Apple App Store are digitally signed, which provides them with a “digital identity” – a digital trust stamp of sorts. When a user downloads an app via the App Store onto one of their iOS devices, their device authenticates the “digital trust stamp.” This workflow leverages best practices from a digital trust and machine identity management perspective, and while it is not flawless, it significantly minimizes the attack surface when it comes to malware threats.

Digital certificates establish digital trust

So, how best to get started with this comprehensive identity-first security approach to fight no-click attacks? Enterprises should implement public key infrastructure (PKI) digital certificates because they are the proven approach for securing and authenticating all digital identities. They also establish and maintain digital trust beyond the firewalled network architecture.

Furthermore, these certificates need to be managed at scale, particularly given the explosion of identities and devices that enterprises now need to manage.

Automated Certificate Lifecycle Management (CLM) is key here, successfully streamlining the issuance, renewal, governance, and management of any certificates. By efficiently managing the lifecycles of public and private certificates, enterprises can better secure every human and machine identity across their organizations and ensure nothing “falls through the cracks” and becomes a security gap that bad actors can exploit with no-click malware.

There’s always risk, but it’s manageable

Enterprises put considerable time and resources towards authenticating humans with biometrics and other passwordless techniques – but authenticating software and machines is also vital, particularly in a world facing the threat of no-click malware. Good machine identity management with digital trust as the goal helps in this fight. While IT leaders can’t prevent the emergence of new forms of malware, they can ensure that they are successfully prepared to manage the risk around it with identity-first security as the threat landscape continues to evolve.

Lead image source.

Written by davidmahdi | David Mahdi is an industry recognized pioneer, currently operating as CSO and CISO advisor at Sectigo.
Published by HackerNoon on 2022/11/17
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy