A look at MFA and recent incidents

4 minutes

[Disclaimer: In this post I discuss a breach involving Cisco. I am a former employee of Cisco. All information discussed is public and no information from my employment is being utilized in this post.]

Multi-factor Authentication (MFA) has long been held as a bastion of cybersecurity. In my opinion, it is still a must, but some recent incidents have highlighted that even MFA can be circumvented. Let’s discuss the incidents and ways to prevent this from happening to you.

Let me get this out of the way…. enable MFA everywhere you can. NO security is perfect security, but using MFA is a drastic step in the right direction. I just don’t want people to read this blog and think that MFA is not helpful. It truly is!

Last month Cisco reported a data breach with the vector apparently being through their VPN, which is protected by MFA. Cisco is a serious security company, who owns Duo; a top rated MFA solution. I highlight them to simply show the lessons we can all take from this breach. The attacker presumably had a valid password for the user, which was exploited. From there the attacker would have needed to get past Cisco’s MFA implementation (most likely Duo). From the information available to us, the attacker likely benefited from MFA fatigue or just a simple mistake when the user accepted the MFA push request. This is one of the problems with push requests. It is only as strong as the awareness of the user. Although not cited in this breach, you can also see how password theft accompanied with social engineering can be very effective against a fatigued or poorly trained user. Picture this, an employee gets a call from IT. They are concerned about the security of the user and they need to test MFA right now! (attackers love to use immediacy) “I am going to send you a single MFA push and I simply need you to accept it so I can verify it works on my side. I’m doing this with all our employees.” All the attacker needs is one person to accept the push. Now they are in! The type of MFA doesn’t really even matter (OTP, push, SMS, etc.) the user is the weak link.

Of course the attack I mentioned above is predicated upon the attacker being in possession of a working password, likely through the use of purchased lists and credential stuffing tactics. However, I have been witness to several password and MFA theft attempts through the use of phishing and spoofed login sites (some happening very recently). In this attack the attacker sends out an email, typically with something you either want or a charge that you didn’t expect. They ask you to login to your account and provide a button to do so. Most people will not look at the URL nor dig into the sender. One attack I have seen is through the use of an email with unexpected Apple App Store charges. The user is sent an email saying they have a charge for something they clearly didn’t buy. Most people’s first inclination is to login and see what happened. They click the button, which leads to an attackers fake, but realistic looking website, where the user willingly provides their username, password, and MFA credentials. The damage is done. I have personally seen this for both consumer and business attacks. It’s sad because it preys on our fears or the promise of something we want. 

So what do we do? Is this a technical problem? Is this a people problem? Is this an education problem? The answer… YES.

  • Awareness training is key. Teach your users, family members, friends, etc. that if something doesn’t look right, it likely isn’t. If you didn’t request a MFA push, don’t accept one. 
  • Consider other forms of MFA like hardware tokens (Yubikey), biometric, Facial ID, etc.
  • Always use different passwords for different applications and websites to prevent credential stuffing in the first place. This is where the use of a password manager is imperative. 
  • Did I mention training? Yeah, let’s focus on that again! I always say, “the most insecure part of any security plan is the squishy thing behind the keyboard.” Train your users to be the solution, not the problem.
  • If you do get an alert, bill, enticing offer, etc. in your email, don’t follow the link in the email, but instead login directly to website itself. 
  • If your aren’t enforcing the use of MFA, do so immediately. Even though it isn’t perfect, it is one of the best practices we have in combating a number of threat actor tactics. If combined with good training, it is darn near perfect.

What are your thoughts on this subject? Do you have any other best practices?

Recommended reading:

How Hackers Blend Attack Methods to Bypass MFA

Required MFA Is Not Sufficient for Strong Security: Report

Microsoft: Multifactor Adoption Remains Low

Social Engineering Schemes to Bypass Multi-Factor Authentication

Pick 2! Something you are– Something you have– Something you know #