Last weekend my youngest daughter started a new baton program on Saturday mornings. Sitting there I realized I have been taking at least one of my four daughters to baton for the last 22 years across two different teams in two different towns.
There are times when it is quite tiring to keep up with my kid's schedules.
Another thing that is getting tiring these days is multi-factor authentication (MFA). There is a new phrase of the moment. It is called MFA fatigue. Today I want to make you aware of the most common ways the bad guys are defeating MFA authentication.
The statistics have been clear. It has been estimated that 99% of the most common attacks are defeated by simply implementing MFA. A good MFA implementation should deal with most of the drive-by attackers looking for an easy victim.
Faced with increased security procedures you knew that the bad guys simply wouldn't just shut down and sell donuts instead. The reality is that they are getting more creative in breaking through the MFA blockade. A couple of the techniques they are using are:
- Cookie session stealing. This is where the bad guys are already lurking on your machine, and they wait for you to start an MFA session in a normal way and steal your session cookie that identifies you as you from your machine. They then impersonate you as a validated MFA user. The defense to this is to have your end-user workstations fully protected with an advanced EDR product (preferably with a SOC) such as CSI's CSEDR powered by SentinelOne.
- Stealing MFA authentication codes via SMS texting. It has generally been considered a very weak version of MFA authentication. Your users should use an authentication application such as Cisco DUO.
- Stealing MFA authentication codes via email. This option is also considered a very weak form of MFA authentication. If your user's email is compromised, sending the bad guys your secure code is not a good plan. Again, you should be forcing the use of an authenticator application such as Cisco DUO to control your authentication.
- MFA fatigue. The concept here is that the bad guys simply pummel your users with unprompted MFA requests in hopes the user is too distracted or tired of the prompts that they simply start clicking yes to make the prompt go away. User fatigue and distraction is a real threat to maintaining the integrity of the MFA process. In your internal training and re-training, you must stress that the user should not be answering any MFA prompts that were not just generated by themselves. No one but them can generate these requests. We do expect them to realize whether or not they are signing on to your systems!
Since MFA fatigue is now a thing, MFA authenticators are evolving from the simple "Yes/No" to the MFA prompt request to forcing the end user to actually evaluate and select a number on the authentication screen that matches the number on their computer. That completely eliminates blindly clicking the attackers through. Cisco DUO calls this new feature Verified DUO Push.
I strongly encourage you to up your MFA game by ensuring your endpoints are well-guarded and well-maintained, that you force your users completely away from SMS and email-based MFA whenever possible, defend against MFA fatigue, and to evolve your MFA prompts to force number matching.
If you need help implementing these things in the transition, please reach out to us. We are happy to help you.
-Scott Quimby, CISSP