The contribution below is from an external party. The editors are not responsible for the information provided.
Blog – Multi-factor authentication (MFA) is one of the tools in modern cyber security. In recent years, that security method has grown into an more advanced tool. But not only cyber security products are developing, also the attack methods of cyber criminals are becoming increasingly refined. This also applies to the methods for bypassing MFA.
Although malicious people are able to circumvent MFA, there is the idea that MFA is almost perfect. However, it appears from research That almost half of all accounts taken over by cyber criminals who managed to avoid the authentication method. Nevertheless, just over eighty percent of Dutch cyber security professionals find that MFA offers complete protection against account takeover. So there is an imbalance.
What does help with limiting the ‘MFA-Bypass’, is a robust defense-in-depth-method. This layered approach supports both reducing the chance of a significant burglary and limiting the consequences of account takeover.
Six forms
MFA is effective because users verify themselves through multiple ways. It makes a combination between something that is already known (often the password) with something they have, such as an authentication app or token, or with something they are, such as the face. That all sounds very safe. Yet threat factors know how to circumvent this method. Many tactics are advanced. These are the six popular forms:
- Phishing attacks
Cyber criminals mislead users to enter their MFA code or registration data on false websites that are under the management of the attackers. - MFA tiredness
Malicious people have already obsolete the password. They now start sending MFA reports where causing confusion is the goal. The notifications only stop when the request for access is approved. - Hijacking the session
Cyber criminals steal session cookies after authentication. This makes the preceding MFA verification invalid. - SIM swapping
This technique undermines SMS-based multi-factor verification by transferring the victim’s telephone number to the attacker. The threat factor must be the mobile provider for this Social Engineeror have an insider with the organization, this method wants to be successful. - Social Engineering
Most organizations enable external employees to reset their passwords and MFA configurations without being present in person. That is all fine, provided that the organization has the correct identity verification. Without the correct verification methods, it is possible that IT-Support will share the references of a spidden employee with a cyber criminal, without being aware of this. - Adversary-in-the-middle attacks
Tools of attackers, such as the specialized phishing kit Evilginx, intercept session session. They then send these tokens to legitimate services that give the attackers access.
MFA undoubtedly adds a valuable layer to the security of user authentication. This makes it difficult to break in for threat factors. Yet it remains risky to use only one defense method, especially now that cyber criminals manage MFA. In fact, this security method should only be a part of a larger security program, because it is not a definitive defense. The whole core of this exists defense-in-depth That the implementation of extra security layers reduces the chance of a successful attack, even if malicious parties break a layer.
Such a defense-in-depth method includes several overlapping security measures, resulting in overlap. It also reduces the possibilities that an attacker can exploit vulnerabilities.
Six tips
Organizations can strengthen their defense against circumventing MFA with the following six tips:
- Strengthen endpoint security
Identify and limit unauthorized access at host level with Endpoint Detection & Response tools. - Invest in protection against credential phishing
Most threat factors prefer targeted, socially manipulated phishing attacks for the lecture of users’ references. By investing in protection against Credential Phishing Protect organizations both themselves and the employees. - Provide phishing resistant-MFA
Switch to more advanced MFA methods, such as hardware stories keys (FIDO2) or biometrics. These are less sensitive to phishing and MFA bypass attacks. - Implement tools against account Takeovers
Enter methods in those account takeovers in the cloud detect, investigate and automatically respond to incidents. This ensures that the attack is stopped before there is any damage. - Increases the awareness of employees
Employees are a large weak link in organizations, often without knowing it. Train employees on recognizing phishing attempts and other social engineering techniques that are aimed at their MFA references. For example, organizations not only increase the cyber security awareness of employees, they also limit the chance of successful attacks. - Make a plan for incident response and recovery
Organizations are wise to prepare for the worst scenario. A well -defined incident -response plan supports the rapid withdrawal of access sticks and to investigate suspicious registrations.
Dynamic
The fight against MFA bypastactics reflects the dynamic nature of the current cyber threats. A defense-in-depth strategy catches, even when a security layer in the organization fails, the impact and thus protects different damage. It therefore supports organizations in limiting a lot of damage. Cyber criminals have increasingly advanced attack methods. By applying advanced, proactive security measures as an organization, you always stay one step ahead and reduce the chance of success. And that is what we want.
Siegfried Huijgen is a cyber security expert at Proofpoint
