October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is calling on all of us to “Secure Our World,” with a simple message that calls everyone to action “to adopt ongoing cybersecurity habits and improved online safety behaviors.” This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.
According to DarkReading, high-privilege accounts from a well known security vendor have been common targets in a pattern of recent attacks. In these attacks, DarkReading reports, hackers use social engineering to convince support personnel to reset multi-factor authentication (MFA) credentials. (Though not discussed in the report, it should be known the attacker has, at this point, already compromised the first authentication factor: the password). Once the hacker has compromised both a user’s password and their second authentication factor, they can gain access to their accounts.
MFA is increasingly becoming the entry point in malicious attacks, including those that exploit MFA fatigue and those that use social engineering to dupe their way in. This trend serves as a stark reminder that, while MFA is drastically more secure than single-factor authentication (i.e., the classic username-password combo), it isn’t a 100% guarantee. When it comes to security, there’s always more that can be done. That’s especially true if there’s gaps in MFA coverage.
Worryingly, this could be the first in a new wave of cyberattacks targeting high-privilege users
– Callie Guenther, senior manager of threat research at Critical Start.
3 Commonly Overlooked MFA Weaknesses
These attacks prompt us to consider one of the biggest vulnerabilities in just about any MFA program (the human side of MFA) as well as the limitations of implementing a 2FA program. With that in mind, it’s essential to consider the following when implementing and maintaining an MFA program:
1. The Human Side of MFA
Social Engineering
Social engineering is becoming a popular MFA compromise method. More and more frequently, bad actors are finding ways to dupe users into handing over MFA credentials. In the example referenced above, bad actors called tech support pretending to be a user and request an MFA reset.
In other instances, hackers trick users into approving their login attempt with tactics like push bombing. In this common attack, the bad actor uses a script or a bot to trigger multiple login attempts with stolen or leaked credentials. This sparks a deluge of push notifications to the user’s device; often, the user approves the prompt out of frustration.
Communications and Training
Most companies administer some kind of user training when rolling out an MFA program. However, training for those who support MFA functions is equally important, if not more so. MFA enrollment and resets are typically weak links in the authentication process and are often susceptible to social engineering attacks.
Anyone who has the ability to support MFA enrollment and resets should have clear parameters for verifying someone’s identity before issuing credentials. They should also have enough training to spot common social engineering maneuvers.
In addition, those with privileged credentials should receive rigorous MFA training. This is especially important for executives: although they’re perhaps some of the most targeted and sought-after, they’re also among the most likely to bypass training or demand circumvention for things like MFA resets. Make sure executives and support staff understand that circumvention is especially dangerous for high-profile users, and ensure they follow the traditional pathways for things like MFA resets.
2. Factor Quality and Number
Number of Factors
“Setting and forgetting” 2FA can still leave the door to attacks slightly ajar. Fortunately, MFA doesn’t have to stop at two factors: every additional MFA factor exponentially increases security. Adding a third factor can help to close the gaps in a classic 2FA method by making it that much harder for an adversary to coordinate their efforts to obtain each necessary factor in the (often) tight time limits available to them.
Quality of Factors
It’s also important to consider which factors you lean on in your program, as some methods of MFA are more secure than others. If a factor’s core job is to assure that the user is who they say they are, then vetting the ability to challenge that assertion is essential.
For example, a code delivered via SMS is typically considered less secure than a code generated on a user’s device. For one, codes sent through SMS or email often last for extended periods of time, be it ten minutes, 30 minutes, or more! This, when compared to a TOTP code with a lifetime of 30 seconds, is comparatively less secure. What’s more, codes delivered through email or SMS can be obtained if the attacker has access to those accounts, or can be completely faked through social engineering tactics as discussed above.
And of course, users should still follow password best practices to ensure a strong first factor. It is possible to eliminate passwords as a factor, in lieu of a verified FOB or biometric scan, but more often than not, passwords will be a necessary first factor to authenticate. Thus, good password hygiene is intimately connected with the success of MFA.
3. Deployment Strategy
Context
MFA is intended to act as an additional layer of context added to an authentication attempt. Instead of verifying an individual based solely on what they know (their username and password), this additional factor adds context to the login. In the most direct sense, this context is meant to answer the question: “Is the person logging into this system actually who they claim to be?” But as seen above, this isn’t always so cut and dry.
Instead, this context could be expanded upon to paint a more comprehensive picture of the login attempt. For example, is the person who they say they are, and are they logging in from the same location they normally do, and are they logging in from a predictable time? Or is this a 9-5er in the U.S. trying to log in at 1am from a computer in Europe with a valid TOTP?
Context really matters here, and technology can’t always pick up on all the contextual clues a human might. This is why tools like conditional access policies are additional layers that enable us to wrap our MFA with additional contextual information for a clearer picture — and a more accurate ruling on identify verification. For example, you could contextualize an authentication attempt based on important factors like the user’s privilege level, the resource’s sensitivity, and how well the authentication attempt aligns with previous patterns.
Using dynamic groups and attribute-based rules can limit authorization into sensitive resources by creatings a least-privilege backstop. Automating entitlement management can limit what an intruder has access to in the event of a breach and protect systems where SSO isn’t an option. It’s not feasible for a person to attest to all privilege changes, but attribute-based access control adds a layer of validation to access requests. It’s another zero trust security concept that complements MFA and conditional access.
Strengthen Your MFA Security
In security, nothing can ever be 100% secure. As MFA shows us, security is stronger with more layers. Layering your security strategy as a whole can help strengthen your security posture despite inherent weaknesses. Learn more about strengthening your security posture in the whitepaper, How to Secure Your SME with JumpCloud and CrowdStrike.