Why MFA is no longer enough
It’s time to let go of the view that multi-factor authentication (MFA) provides enough security.
Hackers have the means to steal passwords, hijack users’ sign-in sessions and bypass the authentication process entirely, even when MFA is enabled. Adversary-in-the-middle (AiTM) attacks may be nothing new, but the ability of criminals to bypass MFA is.
What’s new?
Attackers can now intercept the legitimate session cookie issued by a real website, along with the authentication token.
The sophistication of these modern AiTM attacks has been highlighted by Microsoft, who explain how AiTM phishing attacks work.
In simple terms:
- An attacker sends a cleverly crafted email (phishing attack) which looks legitimate
- An unsuspecting user clicks on this link, which takes them to the attackers’ ‘spoof’ website
- The attackers’ website silently and transparently forwards on the request to the real site (Office365, Google etc) for authentication
- The user sees the real website and enters their credentials to authenticate
The attacker can now silently intercept this data while it passes through their website
Cookie theft
Ever wondered how you can launch Edge or Chrome and navigate to your Office 365 email without being prompted for authentication? Or launch Outlook or Teams without being prompted for authentication?
This is because you have already done that once and have a safely stored session cookie which is valid for a set number of days. This is what the attacker is after and once they have it, they have easy, instant access to your email or Teams account.
Build multiple layers of protection
A multi-layered approach to security is the key. Relying on a single security mechanism such as MFA is like putting all your eggs in one basket. You need to reduce the possibility of security compromise by adding more control layers.
- Enable MFA if you haven’t done so already. Without this, it’s like having a toy padlock on your front door.
- Raise awareness. This is the most effective and essential step of all. Educate users on how to spot phishing emails and when they should and shouldn’t enter their credentials.
- Implement advanced email filtering. Reduce the chance of attacker emails reaching users’ mailboxes by deploying Content Filtering, Sender Filtering and Safe Links. These are must-haves.
- Implement a Web Proxy. These may be usually considered a mechanism to stop people accessing Facebook or eBay during working hours, but when combined with Deep SSL Inspection, a Web Proxy can inspect all traffic leaving the organisation and track known suspicious or malicious content and sites.
- Implement EDR. Next Generation anti-virus/anti-malware technologies with an Endpoint Detection and Response (EDR) service overlay can detect threats in your networking environment and respond to them appropriately, automatically, and ideally with a human interaction when required.
- Implement Microsoft Conditional Access Security Defaults. Conditional Access policies allow IT admins to create conditions before events, such as authentication, can be accepted. This could include enforcing MFA when logging into any Azure integrated Cloud App, including Office 365, to block sign-ins from untrusted locations or from unknown devices.
- Implement Least Privilege. If an attacker manages to penetrate all these layers you can still limit the damage done. If the end user does not have local admin rights, then there’s a good chance that the attacker will not have these when they compromise that machine. Another, possibly even more important, step is admin account separation
None of these controls are particularly new. They are in essence good practice and should be implemented as a base standard in all sizes of IT estate. The majority shouldn’t even cost significantly to implement if anything.