October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is calling on all of us to 鈥淪ecure Our World,鈥 with a simple message that calls everyone to action 鈥渢o adopt ongoing cybersecurity habits and improved online safety behaviors.鈥 This month, the 探花大神 blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.
, high-privilege accounts from a well known security vendor have been common targets in a pattern of recent attacks. In these attacks, DarkReading reports, hackers use social engineering to convince support personnel to reset multi-factor authentication (MFA) credentials. (Though not discussed in the report, it should be known the attacker has, at this point, already compromised the first authentication factor: the password). Once the hacker has compromised both a user鈥檚 password and their second authentication factor, they can gain access to their accounts.
MFA is increasingly becoming the entry point in malicious attacks, including those that and those that use social engineering to dupe their way in. This trend serves as a stark reminder that, while MFA is drastically more secure than single-factor authentication (i.e., the classic username-password combo), it isn鈥檛 a 100% guarantee. When it comes to security, there鈥檚 always more that can be done. That鈥檚 especially true if there鈥檚 gaps in MFA coverage.
Worryingly, this could be the first in a new wave of cyberattacks targeting high-privilege users
– senior manager of threat research at Critical Start.
3 Commonly Overlooked MFA Weaknesses
These attacks prompt us to consider one of the biggest vulnerabilities in just about any MFA program (the human side of MFA) as well as the limitations of implementing a 2FA program. With that in mind, it鈥檚 essential to consider the following when implementing and maintaining an MFA program:
1. The Human Side of MFA
Social Engineering
Social engineering is becoming a popular MFA compromise method. More and more frequently, bad actors are finding ways to dupe users into handing over MFA credentials. In the example referenced above, bad actors called tech support pretending to be a user and request an MFA reset.
In other instances, hackers trick users into approving their login attempt with tactics like push bombing. In this common attack, the bad actor uses a script or a bot to trigger multiple login attempts with stolen or leaked credentials. This sparks a deluge of push notifications to the user鈥檚 device; often, the user approves the prompt out of frustration.
Communications and Training
Most companies administer some kind of user training when rolling out an MFA program. However, training for those who support MFA functions is equally important, if not more so. MFA enrollment and resets are typically weak links in the authentication process and are often susceptible to social engineering attacks.
Anyone who has the ability to support MFA enrollment and resets should have clear parameters for verifying someone鈥檚 identity before issuing credentials. They should also have enough training to spot common social engineering maneuvers.
In addition, those with privileged credentials should receive rigorous MFA training. This is especially important for executives: although they鈥檙e perhaps some of the most targeted and sought-after, they鈥檙e also among the most likely to bypass training or demand circumvention for things like MFA resets. Make sure executives and support staff understand that circumvention is especially dangerous for high-profile users, and ensure they follow the traditional pathways for things like MFA resets.
2. Factor Quality and Number
Number of Factors
鈥淪etting and forgetting鈥 2FA can still leave the door to attacks slightly ajar. Fortunately, MFA doesn鈥檛 have to stop at two factors: every additional MFA factor exponentially increases security. Adding a third factor can help to close the gaps in a classic 2FA method by making it that much harder for an adversary to coordinate their efforts to obtain each necessary factor in the (often) tight time limits available to them.
Quality of Factors
It鈥檚 also important to consider which factors you lean on in your program, as some methods of MFA are more secure than others. If a factor鈥檚 core job is to assure that the user is who they say they are, then vetting the ability to challenge that assertion is essential.
For example, a code delivered via SMS is typically considered less secure than a code generated on a user鈥檚 device. For one, codes sent through SMS or email often last for extended periods of time, be it ten minutes, 30 minutes, or more! This, when compared to a TOTP code with a lifetime of 30 seconds, is comparatively less secure. What鈥檚 more, codes delivered through email or SMS can be obtained if the attacker has access to those accounts, or can be completely faked through social engineering tactics as discussed above.
And of course, users should still follow password best practices to ensure a strong first factor. It is possible to eliminate passwords as a factor, in lieu of a verified FOB or biometric scan, but more often than not, passwords will be a necessary first factor to authenticate. Thus, good password hygiene is intimately connected with the success of MFA.
3. Deployment Strategy
Context
MFA is intended to act as an additional layer of context added to an authentication attempt. Instead of verifying an individual based solely on what they know (their username and password), this additional factor adds context to the login. In the most direct sense, this context is meant to answer the question: 鈥淚s the person logging into this system actually who they claim to be?鈥 But as seen above, this isn鈥檛 always so cut and dry.
Instead, this context could be expanded upon to paint a more comprehensive picture of the login attempt. For example, is the person who they say they are, and are they logging in from the same location they normally do, and are they logging in from a predictable time? Or is this a 9-5er in the U.S. trying to log in at 1am from a computer in Europe with a valid TOTP?
Context really matters here, and technology can鈥檛 always pick up on all the contextual clues a human might. This is why tools like conditional access policies are additional layers that enable us to wrap our MFA with additional contextual information for a clearer picture 鈥 and a more accurate ruling on identify verification. For example, you could contextualize an authentication attempt based on important factors like the user鈥檚 privilege level, the resource鈥檚 sensitivity, and how well the authentication attempt aligns with previous patterns.
Using dynamic groups and attribute-based rules can limit authorization into sensitive resources by creatings a least-privilege backstop. Automating entitlement management can limit what an intruder has access to in the event of a breach and protect systems where SSO isn鈥檛 an option. It鈥檚 not feasible for a person to attest to all privilege changes, but attribute-based access control adds a layer of validation to access requests. It鈥檚 another zero trust security concept that complements MFA and conditional access.
Strengthen Your MFA Security
In security, nothing can ever be 100% secure. As MFA shows us, security is stronger with more layers. Layering your security strategy as a whole can help strengthen your security posture despite inherent weaknesses. Learn more about strengthening your security posture in the whitepaper, How to Secure Your SME with 探花大神 and CrowdStrike.
