The Rise and Fall of Traditional Multi-Factor Authentication (MFA) and How to Protect Against Account Compromise

2 min 17 July 2024
img

As organisations move more data and services to the cloud, inherently new risks present themselves. MFA for example, is a robust way of verifying that a user is who they say they are, yet still open to compromise.   

At FSP we have observed an increase in the number of session hijacking attacks that circumvent MFA.  Despite the challenges presented by emerging threats, robust multi layered security practices mean that businesses can prevent compromise like never before. 

FSP have identified several additional counter measures to keep your cloud environment safe, including:  

– Configuring security alerting to provide early warning of attempted account compromise.  

– A robust deployment of device controls and verification to ensure that prevents cyber-criminals from gaining access to your data.  

– Fully managed services to ensure that you reduce the likelihood of a successful breach taking place, and significantly reducing the impact if it does.

What is MFA? 

Let’s start by looking at MFA in more detail; it is the process of using several different methods together to verify someone’s or something’s identity. Typically, this will be something you know (password) and something you have (device) or something you are (biometric).   

The purpose of MFA is to prevent an attacker gaining access to a system through the means of identifying/capturing an account password alone, as the attacker would also need to fulfil the second factor which should be very difficult to do. Particularly if that second factor requires biometrics or some form of physical device.  

Where does MFA fail?

Most businesses that implement MFA within Microsoft Cloud setup a form of token-based verification, whereby users receive codes to their phone – typically in the form of a text message or app notification. Although this protects against the types of attack listed above, what it does not prevent is already authorised users having their session stolen.   

What is a session and why is it important?  

When you log into a Microsoft Cloud service/application a session is created; this is a temporary connection that keeps you logged in without asking for your password repeatedly. This connection is managed through a session token, which acts like a unique ticket granting access to your account for a set period.  

How are they stolen?  

Attackers can obtain these sessions by phishing or coercing users into accessing legitimate Microsoft services whilst eavesdropping on the communication. Once a valid session has been obtained, the attackers can then add this to their web browser and gain access to the compromised account without the need for a password, or more importantly without verifying their identity via MFA. Although this may sound extremely technical, the barrier to entry has been significantly lowered by threat groups offering these capabilities as a subscription service.   

Immediate actions to implement if account has been compromised  

The immediate actions to implement if you suspect a user’s account has been compromised are:  

  • Force reset the compromised user’s password  
  • Revoke all sessions  
  • Verify no secondary MFA configured or changed  
  • Review account activity during the compromised time window  
  • Contact a reputable cyber incident response team  

Leveraging the Microsoft Intune and Conditional Access to prevent the use of stolen sessions  

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). It allows organisations to manage and secure devices such as smartphones, tablets, and computers.   

Intune allows organisations to define and enforce policies that devices must meet to be considered secure. These policies typically include requirements such as having up-to-date software patches, antivirus protection, encryption settings, and other security configurations.  

Conditional Access allows businesses to decide how users sign into the Microsoft cloud and which security controls they need to pass before successfully logging in.   

Organisations can configure access policies in Intune that enforce controls based on device compliance status, meaning only devices that meet the set security standards can access corporate resources, including applications and data.  Therefore, if a user’s session is stolen and an attacker attempts to use it from a non-Intune managed device (which would not meet the compliance standards), Intune’s conditional access policy can be set to deny this access. As such, without meeting the security requirements set by Intune and Conditional Access, the stolen session token becomes useless for accessing corporate resources.  

How can FSP help?  

We can; 

– Provide you with a robust deployment of device controls and verification to ensure that prevents cyber-criminals from gaining access to your data. 

– Configure security alerting to provide early warning of attempted account compromise.  

– Review your security posture and provide cost effective solutions to solve this, along with other weaknesses which may make you vulnerable to cyber-attack.   

– Provide fully managed services to ensure that you reduce the likelihood of a successful breach taking place, and significantly reduce the impact if it does (See our post on how to stay ahead of the cyber threat and improve your ROI.  

– Run end-to-end purple team engagements identifying risks to your organisation whilst also reviewing the ability to detect and respond to live incidents.  

Wrapping up

Our team at FSP have extensive knowledge and experience both in the deployment and configuration of secure cloud environments. We also have expertise in monitoring organisational estates and responding to suspicious activity.   

If you would like to know more about how FSP can help you mature the security posture of your organisation, please go to FSP