Best practices for implementing MFA to combat Brute-forcing attacks

With the rising adoption of multi-factor authentication (MFA), MFA attacks too have become increasingly common. These attacks can range from the devious to the highly sophisticated. Typically, MFA bypass techniques fall into one of two categories: either brute-forcing the two-factor process and attempting to guess the code or using social engineering to trick a targeted user into generating the code and approving a fraudulent access request. In addition to compromising MFA platforms and tricking employees into approving illegitimate access requests, attackers are also using adversary-in-the-middle (AiTM) and proxy attacks to bypass MFA authentication.

MFA brute-forcing, which is becoming the new favourite tactic in high-profile breaches such as Uber and Reddit, is the most widely used type of MFA attack where an attacker attempts to gain unauthorized access to an account that is protected by MFA, by using a brute-force attack to guess the correct combination of the user’s login credentials. The attacker uses automated software to try many different combinations of usernames and passwords until the correct combination is found. This can also involve attempts to bypass the additional layer of authentication by guessing or stealing the one-time code or security token.

While there are several strategies and best practices to safeguard against MFA brute force attacks, in this post we look at how a forensics-driven approach to cybersecurity can help prevent such attacks, by delving into a real case investigated by SISA.

Deconstructing the incident

Bank customers reported fraudulent deductions and unauthorized e-commerce transactions, with initial investigations revealing that the fraudsters called customers posing as bank employees, and requested card details, CVV2, and OTPs. Detailed investigations revealed that a bank call center supervisor’s personal laptop and social media account had been compromised, and the intruder used the supervisor’s credentials obtained through MFA push notifications, to log in to the bank’s network (VPN), Active Directory, email, and CRM application. Thereafter he executed a social engineering attack using customer details extracted from the CRM.

Deciphering the incident

The incident was caused by a control failure in MFA, wherein the user had approved the MFA push notification multiple times, eventually falling prey to an MFA brute-forcing attack. Despite the organization providing information security training, the user had shared credentials with colleagues, used the same password for all accounts, and used a personal system to log into the network, which was compromised with key logger malware. Additionally, the user’s social media credentials were compromised, and they used the same credentials for logging into VPN, email, and CRM application.

Developing controls to prevent or detect the incident

SISA’s forensics-driven approach uses a unique 4D framework consisting of deciphering the breaches, deconstructing the loopholes, developing essential controls and disseminating the learnings to help organizations strengthen their security posture. The learnings derived from the breach investigations are used to develop and fine-tune preventive and detective controls – the controls with the highest probability of preventing or detecting a breach.

Based on the findings from the above case investigation, SISA recommends that organizations deploy the following controls and best practices to guard against MFA attacks.

Preventive controls:

• Configure the MFA to OTP-based authorization. It’s more of a psychology, where we give the users the to think about sharing an OTP than just clicking ‘Yes’ on a push notification. Based on SISA’s Red Teaming exercise, it’s 50% easier to get users to accept a MFA-based push notification than OTP based.
• Configure the application to disable the user if the user has rejected a push notification three times within a short period. It may be that the user credentials have been compromised, and the intruder is trying to brute force the MFA.
• Use Geo-based authentication by configuring the remote application to reject authentication of the users connecting from a different Geo.
• Provide continuous training to educate the employees on OTP best practices, authorization of MFA push notifications and reporting mechanisms if they spot unauthorized alerts.

Detective controls:

• For effective and proactive detection of attacks, it is critical that the SIEM tool and the threat intelligence team monitors the following via a dashboard or have a use case to alert them.
• For the remote application logs, enrich the public IP from where the user logs in using the Geo location. Also, enrich the public IP using the ASN (Autonomous System Numbers) value of the public IP.
• Use a long tail analysis graph/dashboard of the Geo from where the user logs in. If the usernames can be multi-aggregated within the graph/dashboard, it will help in the analysis. Identify whether there’s a remote login from a different Geo.
• Use the ASN value and create a long-tail analysis. Identify the unknown ASN from where the logins originated. Using this method, the monitoring team will be able to identify whether the user is using a VPN or not.
• If the SIEM supports UEBA or ML, train the ML to link the user with the Geo and ASN and configure it to generate an anomaly in case the user logs in from a different Geo or ASN.
• Create a detailed playbook for incident analysis to deal with any alerts generated

While MFA provides an additional layer of security, it is essential to implement the best practices to guard against MFA brute-forcing attacks. By following strong password policies, enabling account lockouts, utilizing adaptive authentication, and educating users, organizations can significantly reduce the risk of unauthorized access. Importantly, organizations must deploy an EDR solution on the remote systems so that the security team can hunt the remote user system for any malicious activity/malware.