Image by Freepik
Recent surveys indicate nearly 74% of organizations plan to increase their spending on multifactor authentication (MFA) initiatives. That’s a good thing, given that about 80% of security breaches are the result of credential theft. MFA adds a few additional layers of credentials to the authentication process, such as device tokens, OTPs (one-time passwords), and/or biometrics. This way, attackers can’t launch an attack simply through hacked passwords.
Having said that, MFA is not inviolable. You can’t just deploy MFA and walk away. With a few extra tricks and steps, sophisticated threat actors can circumvent MFA. Below are a few common MFA pitfalls attackers can take advantage of:
MFA often involves a “what you have” factor, in addition to passwords. For instance, it can be paired with a mobile device or a phone number through which users receive their passcodes. If someone’s device is stolen or the victim of a SIMcloning attack, the attacker may gain access to the other critical piece needed to impersonate the owner and access their personal accounts and work-related apps unabated. The attacker can gain an entry point to corporate networks and move laterally across the network as an authenticated user.
MitM attacks are those in which malicious actors intercept the victim’s network connection to sniff their data. They can capture the OTP in transit and replay it as-is to authenticate as legitimate users. They can also steal session cookies and hijack a session right after users authenticate themselves via MFA. From there onwards, the attackers enjoy all the privileges of their victims.
Attackers often get around sophisticated cyber controls through phishing and highly targeted spear-phishing. For instance, a proof-of-concept phishing technique sparked a discussion earlier this year. It used a phishing email to lure unsuspecting employees into clicking a seemingly legitimate login link that would, in fact, launch a remote session and redirect the victim to the attacker’s browser. The victim would then enter MFA credentials on the log-in page opened in the attacker’s browser. After that, the attacker could cut off the remote session and assume control of the victim’s account.
Another phishing technique involves sending excessive push notifications to the victim’s device to create MFA fatigue. The user, getting irked by the constant prompts, bypasses the MFA and unknowingly grants access to the attackers.
Like all software, MFA solutions and products are prone to unknown zero-days and unpatched vulnerabilities. For instance, attackers have notoriously exploited the self-enrollment process of applying MFA to Microsoft Azure AD. They simply compromise account credentials and enroll their own devices before legitimate users can. This way, they assume complete control of the victim’s Office365 accounts.
Organizations need MFA as part of their cybersecurity strategy. But relying on it as a panacea would be a grave mistake. Organizations still need a comprehensive cybersecurity strategy in addition to a robust technology stack to combat and mitigate threats when MFA fails.
Here are a few strategies organizations can implement to improve their security posture in the wake of anti-MFA attacks:
Phishing-resistant MFA overcomes most, if not all, flaws and limitations of legacy MFA. Instead of sending secret passwords or OTPs over a network connection, where attackers can simply intercept and replay them, it verifies the user locally through well-implemented public-key cryptography.
Organizations can choose solutions that incorporate a biometric factor into the authentication process. Even if an attacker gains access to a verified device, the additional biometric verification adds another layer of protection against unauthorized access. Bear in mind that even sophisticated MFA solutions are prone to zero-days and insider attacks.
A zero-trust policy is based on the principle: trust no one; verify everyone. It implements the principle of least privilege, which means users can only access the data and resources they absolutely need to perform their jobs. A zero-trust strategy mitigates the risks associated with MFA hacks by preventing attackers from laterally moving across the network to access other critical assets.
Zero-trust solutions utilize contextual awareness and telemetry data for continuous authentication of users even when they are already inside the corporate network. It means, if an attacker manages to compromise MFA or a malicious insider initiates suspicious activities, the zero-trust model will evaluate their access requests based on contextual data, such as device posture, location, user’s typical behavioral patterns, and more. It will only be a matter of time before network monitoring generates alerts.
Employees’ cybersecurity awareness must be an integral, ongoing part of organizations’ overall cybersecurity strategy. With increasing MFA fatigue that compels employees to overlook or get around security policies, it is necessary to educate them about the gravity, prevalence and implications of modern-day cyber threats and the necessity of these seemingly excessive security measures and strict acceptable use policies (AUP).
Phishing has to be one of the most common attack vectors used to bypass MFA. Luckily, even the most legitimate-looking spear-phishing emails will have dead giveaways such as an urgent call-to-action or mismatched URLs. It should become routine for all employees to suspect each email and take safety precautions such as double-checking the sender and verifying URLs. Organizations can achieve such vigilance through continuous training and unannounced simulated phishing exercises.
MFA is essential. Nevertheless, security teams cannot dismiss the idea of a highly motivated threat actor compromising even the most sophisticated MFA system. Instead of looking for a panacea, organizations need a comprehensive, multi-layered security program that relies on zero-trust access and well-aware, well-trained employees who understand the stakes and act responsibly.
Perry Carpenter is author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019). Working with noted hacker Kevin Mitnick, he is Chief Evangelist/ Strategy Officer for KnowBe4, developer of security awareness training and simulated phishing platforms with over 30,000 customers and 2 million users. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).
You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days.
Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company. Interested in participating in our Sponsored Content section? Contact your local rep.
ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.
Georgetown University, a major international research university with nine schools, an affiliated hospital, and many highly-ranked academic programs, has a mature, layered security program.
Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.
Copyright ©2023. All Rights Reserved BNP Media.
Design, CMS, Hosting & Web Development :: ePublishing