This is part three of our MFA blog post series for Cybersecurity Awareness Month. You can read up on blog post one here and blog post two here.

As we have seen, organizations have moved on from passwords to multi-factor authentication (MFA) to ensure better security for their users. But just adding basic MFA will not stop bad actors from penetrating your defenses. As we read in blog two here, not all MFA authenticators offer the same level of security or assurance.

If you have been following the news, you may have read about this recent breach involving compromised credentials and an MFA prompt bombing attack. Let us break down this attack using the cyber kill chain to see what the attacker did in each stage.

Breaking down the attack

Recon, Weaponize, and Delivery – The employee credentials and other contact details were compromised using a social engineering attack. These credentials were purchased by the attacker who then breached the organization’s defense. The attacker authenticated into the employee’s account using the compromised credentials, triggering an MFA via a mobile push notification. The attacker spammed the employee with a few push notifications and then posed as an IT department colleague asking the employee to accept the push notification to make the notifications stop.

Exploit and Install – Once the employee accepted the MFA prompt, the attacker gained access to the network via VPN and soon found a shell script with hard coded admin credentials for a privileged access management (PAM) solution. With these new credentials and having access to the network via VPN, the attacker had access to multiple resources and services to establish persistence within the network.

Callback and Persist – Next the attacker exfiltrated critical and confidential data from the systems.

Now that we have explored the steps of the attack chain from the lens of the attacker, let us see how organizations can better secure their environment using an Identity and Access Management Platform with strong adaptive MFA and high assurance passwordless login to reduce the attack surface and mitigate these attacks.

Breaking down the attack

Recon, Weaponize, and Delivery The first step in defense during the early kill chain to is to eliminate passwords from your environment. Choosing a true passwordless option ensures greater security and reduces the attack surface. Other critically important actions that offer better protection and lower the risk of a compromise include:

  • The ability to detect user contact information changes
  • Changes to when and where a user logs in
  • Enforcing step-up authentication with higher assurance passwordless options like FIDO2 keys or mobile smart credentials

Exploit and Install In addition to strong MFA and high assurance passwordless options, organizations should consider adopting adaptive risk-based authentication to evaluate risk of a user during login. This can be done using various environmental factors such as IP address, geo-location, velocity, time of day/day of week, etc. This additional layer not only improves security but also improves the user experience by only adding friction when necessary due to the risk level of the user authenticating to a resource at a particular time rising above the set threshold.

In addition, securing high-risk systems and users like a privileged access management (PAM) tool with a passwordless MFA solution ensures better protection against escalated privilege access and lateral movement if an attacker gets access to your network.

Another aspect to pay attention to especially in larger enterprises where a multitude of Windows-based servers and desktops exist along with shared drives on these servers running scripts containing API secrets, keys, etc. is to add a layer of protection with MFA for these on-premises devices.

Callback and Persist It is equally important to incorporate continuous monitoring for user and entity behavior changes to identify potential threats. These can include behavioral biometrics, behavioral analytics, threat intelligence, malware inspection, and more to continuously evaluate user behavior to identify account takeover (ATO) or insider threats.

To learn more about how Entrust can enable your organization to adopt a strong defense against common Identity-based cyberattacks, visit our MFA solution page.