Why MFA is no longer enough
Chief technology officer, Gavin Vickers, explains why multi-factor authentication alone is no longer enough in the fight against adversary in the middle attacks.
September 12th, 2022
It’s time to let go of the view that multi-factor authentication (MFA) provides enough security.
Hackers have the means to steal passwords, hijack users’ sign-in sessions and bypass the authentication process entirely, even when MFA is enabled. Adversary-in-the-middle (AiTM) attacks may be nothing new, but the ability of criminals to bypass MFA is.
Attackers can now intercept the legitimate session cookie issued by a real website, along with the authentication token.
The sophistication of these modern AiTM attacks has been highlighted by Microsoft, who explain how AiTM phishing attacks work.
In simple terms:
- An attacker sends a cleverly crafted email (phishing attack) which looks legitimate
- An unsuspecting user clicks on this link, which takes them to the attackers’ ‘spoof’ website
- The attackers’ website silently and transparently forwards on the request to the real site (Office365, Google etc) for authentication
- The user sees the real website and enters their credentials to authenticate
The attacker can now silently intercept this data while it passes through their website
Ever wondered how you can launch Edge or Chrome and navigate to your Office 365 email without being prompted for authentication? Or launch Outlook or Teams without being prompted for authentication?
This is because you have already done that once and have a safely stored session cookie which is valid for a set number of days. This is what the attacker is after and once they have it, they have easy, instant access to your email or Teams account.
Build multiple layers of protection
A multi-layered approach to security is the key. Relying on a single security mechanism such as MFA is like putting all your eggs in one basket. You need to reduce the possibility of security compromise by adding more control layers.
- Enable MFA if you haven’t done so already. Without this, it’s like having a toy padlock on your front door.
- Raise awareness. This is the most effective and essential step of all. Educate users on how to spot phishing emails and when they should and shouldn’t enter their credentials.
- Implement advanced email filtering. Reduce the chance of attacker emails reaching users’ mailboxes by deploying Content Filtering, Sender Filtering and Safe Links. These are must-haves.
- Implement a Web Proxy. These may be usually considered a mechanism to stop people accessing Facebook or eBay during working hours, but when combined with Deep SSL Inspection, a Web Proxy can inspect all traffic leaving the organisation and track known suspicious or malicious content and sites.
- Implement EDR. Next Generation anti-virus/anti-malware technologies with an Endpoint Detection and Response (EDR) service overlay can detect threats in your networking environment and respond to them appropriately, automatically, and ideally with a human interaction when required.
- Implement Microsoft Conditional Access Security Defaults. Conditional Access policies allow IT admins to create conditions before events, such as authentication, can be accepted. This could include enforcing MFA when logging into any Azure integrated Cloud App, including Office 365, to block sign-ins from untrusted locations or from unknown devices.
- Implement Least Privilege. If an attacker manages to penetrate all these layers you can still limit the damage done. If the end user does not have local admin rights, then there’s a good chance that the attacker will not have these when they compromise that machine. Another, possibly even more important, step is admin account separation
None of these controls are particularly new. They are in essence good practice and should be implemented as a base standard in all sizes of IT estate. The majority shouldn’t even cost significantly to implement if anything.
Find out how QuoStar can help to evaluate your IT security and safeguard your enterprise from attacks with a complimentary consultation with a member of our security team.
‘A New Era for QuoStar’
QuoStar has appointed three new senior members to its recently restructured board as part of the firm’s continued growth plans. Since the start of the year, 20 new people have joined the experienced QuoStar team, with the new additions set to bolster the company’s growth trajectory in 2022. Andrew Forder, who has nearly 20 years’ […]
Cybersecurity recommendations for the Finance and Banking sector in 2022
Cybersecurity attacks strike at the heart of an institution’s reputation. If data is compromised, trust can be shattered. Like all service providers, financial firms depend on their painstakingly-built reputations to stay in business. Consumers must be confident that their financial information – and money – is safe. Guarding against cybersecurity threats is crucial. These risks […]
The cyber-war era: the rapid growth of the threat landscape
In this blog we explain what you should be looking out for in the cyber-war era, and how you can best protect the cyber-security of your organisation. The threat landscape is accelerating faster as global tensions grow over the Russia Ukraine conflict. The Cyber-war is well underway, with Ukraine rallying troops for the […]