Insights Modernizing our approach to MFA

Modernizing our approach to MFA

Overview

Traditional passwords haven’t been sufficient for protecting accounts and assets for some time now.  From simple brute force attacks to spear phishing and pharming threat adversaries continue to develop novel methods for credential theft to add to their toolbox of existing tried and true approaches. Microsoft’s Group Program manager for Identity Security and protection, Alex Weinert,   has previously stated that MFA, when deployed properly, can end up blocking 99.9% of automated attacks.

That sounds great right? The key though is ensuring that we not only deploy MFA soundly from a technical standpoint, but also that we back it with the proper policies, training, and processes to report, investigate, and respond to anomalous or malicious MFA attempts.  In short, MFA can’t just be a technology we deploy to check a box.

More than a feeling checkbox

While most organizations fully recognize the importance of MFA, many forego the training, processes, and policies that should go hand in hand with a well implemented solution.  As a consultant I’ve been called into assist companies that have deployed MFA on their own after a security event asking “Why didn’t MFA help us here?!”  In most cases audit logs show that MFA worked exactly as designed, the affected employee simply approved a malicious request without stopping to consider the validity or source. 

When we deploy MFA solutions, comprehensive training must be rolled out alongside the tech.  When being challenged for MFA, team members need to stop and ask themselves, “Did I just take an action that would normally trigger an MFA prompt?” If the answer is no, or I’m not sure, there must be a policy to notify Information security for additional review.  If security determines that the request is malicious, or the user is actively being targeted by an adversary, a pre-defined playbook should be followed to protect the account.  Appropriate actions can include username or password rotation, beefing up a conditional access policy, additional education, as well enhanced monitoring.

Picking strong authentication methods

When evaluating MFA policies, it’s important to pick strong factors of authentication.  If you haven’t looked into passwordless yet you should, not only can passwordless be an extremely strong authentication factor, it can also reduce employee downtime due to account lockout, as well as making associate accounts harder to phish.  That being said, not all industry and compliance standards support passwordless as acceptable options (PCI DSS I’m looking at you here) especially in those cases picking strong MFA methods is even more important.  Personally, I prefer methods that require you to enter information from one system/device to another.  The best option available through Azure AD MFA right now is number matching with enhanced notifications.  This is a relatively new offering that was rolled out into GA last summer.

As you can see above, the Authenticator app on my phone is displaying context data about the login requesting MFA.  I can see the username, the SSO application being logged into as well as location data.  Location data is provided by GPS chip if the device signing in equipped with one, otherwise location is based off the devices public IP address.  Number matching can be used both for an MFA method, or combined with a biometric gesture and enabled for passwordless phone login using MS authenticator. This, or SMS verification are superior methods that make it much harder to inadvertently approve a malicious MFA request as you have to be able to see the screens of both the target and validation devices in order to satisfy the request.  Phone or other “tap to approve” methods do not provide the same level of safeguard.  FIDO2 or Hardware OTP tokens with rolling codes can also be excellent options.

For additional information on how Microsoft ranks sign-in methods, see the chart below.  MS has also released into public preview the ability to use sign-in strength in conditional access policies to restrict access applications containing sensitive or confidential data to logins that meet a certain threshold of login security. 

What’s the frequency Kenneth?

On top of the methods we use for MFA, how often we require MFA challenges is also an important decision.  We obviously need to ensure we are meeting any external regulatory or compliance requirements or guidelines, but it’s also important to check with your cyber insurance carrier to make sure you are compliant there as well.  

With MFA we must be careful about causing MFA fatigue by requesting validation too often.  It’s easy for people to develop muscle memory when approvals happen too often and associates often stop thinking critically about the validity of the MFA prompt.  Additionally, when security is too aggressive, associates may start looking for methods to circumvent it.  In 2019 a website, Dontduo.com, popped up that would automatically approve all your DUO MFA requests.  Cisco eventually was able to have the site shut down, but this is an excellent reminder of the ends team members will go to when we push the security pendulum too far towards lockdown. 

Azure AD MFA can be set to “remember” a device once it’s completed the MFA process and not ask again for a specified number of days.  This is a great way to reduce the frequency of MFA prompts.  It’s important to remember that this applies only at the device level, so if a user tells Azure to remember their MFA status, but then logs in from a new device, they will still be prompted.  Additionally, this setting is overridden if we have a risky sign in policy configured.  We can remember MFA but still prompt with a step-up validation on anomalous logins or ones that originate from IP addresses known to be VPN/Tor egress nodes or ones associated with previous malicious activity. Conditional access can also augment this to always require MFA when logging into applications that contain sensitive data.    

MFA bypass attacks and you!

We’ve now talked about the how’s and the how often of MFA which leads us to the exciting conclusion of MFA bypass attacks and how threat actors are targeting logins protected by MFA.

Cozy Bear (also known as Nobelium, APT29, and The Dukes) is an elite hacker group that works for Russia’s Foreign Intelligence Service. They were involved with the recent high-profile incident with Lapsus$ and SolarWinds. Looking at Mandiant’s postmortem we can see how threat actors were able to compromise systems protected by MFA sending high volumes of MFA requests, often late at night or at inconvenient times. 

“Mandiant has also observed the threat actor executing multiple authentication attempts in short succession against accounts secured with multi-factor authentication (MFA). In these cases, the threat actor had a valid username and password combination. Many MFA providers allow users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”

We see the same thing with the breach at Uber last fall. First, credentials were purchased on the dark web (Ask us about Azure Identity protection and how to combat this) and then MFA fatigue was leveraged to gain access to critical systems.

This sort of MFA bombing is not new but it’s starting to become more common.  The flip side of this attack is more subtle, instead of multiple prompts at once attackers will sometimes try to sneak one or two in each day during normal working hours.  This can be harder to detect, and an associate is more likely to assume it’s a legitimate prompt. 

Other novel approaches have been found by Talos, where adversaries have been caught crafting fake MFA web pages to capture, and then pass along, One-Time-Use codes automatically to the legitimate site to access protected info.  These OTP codes can either be time-based rolling codes or text/email-based verification, the end result is the same. 

Varonis Threat Labs also recently published an article showing how they bypassed the MFA process at box.com by abusing session authentication tokens. A video showing the exploit can be found here.

Wrapping up!

According to the 2022 Verizon Data Breach Investigations Report, 82% of breaches last year involved the human element. That’s an astronomical number, and it clearly shows that we mere humans are often the weakest link in our security posture.  This is why it’s so important to pick strong authentication methods, and try to reduce/eliminate MFA fatigue.  Additional hardening can include the implementation of risk based logins and user and entity behavioral analytics to examine every sign in.  Modern security doesn’t have to be a burden or require a large team or administrative overhead.  If you would like to learn more, have questions on subjects covered in this article, or want to see how Concurrency can help you modernize your MFA implementation please let us know!