MFA stands for Multi-Factor Authentication, a multi-step authentication method that requires the user to provide two or more verification factors to gain access to a system or application such as an application, online account, or a VPN.
MFA requires one or more additional verification factors, in addition to username and password, which decreases the likelihood of a successful cyber attack
MFA works by requiring additional verification information (factors). A second form of authentication helps to prevent unauthorized account access if a system password has been compromised. There are 3 types of factors that can be used for MFA, such as:
For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.
Most common MFA factors that users incorporate is one-time passwords (OTP). OTPs are typically 4-8 digit codes that you often receive via email, SMS or authentication app. With OTPs a new code is generated periodically or each time an authentication request is submitted and gets expires within the set duration or input
The rise in exploitation of multi-factor authentication (MFA) protocols by malicious threat actors in the recent past has been a worrisome trend. That, much of this activity is being orchestrated by nation-state sponsored actors is only intensifying the impact, leading to escalating cyber warfare.
MFA is one of the simple, yet effective techniques used by organizations across the board to neutralize credential stuffing attacks and add a certain degree of security while managing access to critical infrastructure. Threat actors have, in the recent past been exploiting misconfiguration in MFA, to get a foothold into the victim’s network – a trend SISA has been observing in forensic investigation and incident response. A commonly observed instance has been the exploitation of default MFA protocols followed by the PrintNightmare vulnerability exploit – a critical MS Windows vulnerability to run arbitrary code with system privileges. By deploying this tactic, threat actors have been able to perform lateral movement and exfiltrate documents with sensitive data from the victim’s cloud and email accounts.
Organizations, especially critical infrastructure providers and government entities need to ensure proper configuration of MFA to thwart targeted attacks. As one of the top 4 global PCI forensic investigators (PFIs), SISA has been observing a high prevalence of misconfigured MFA in breach investigations and forensic audits performed over the past 1-2 years. Some of the widely observed lapses include:
As cyber criminals are finding new ways to exploit MFA, organizations need to step up defenses and keep a closer watch on new and emerging adversary tactics. SISA recommends adopting the following security practices to mitigate the increasing threat of MFA exploitation – by private groups and state-sponsored actors alike:
To learn more about emerging trends, threat exploits, intruder tactics and SISA’s top learnings from breach investigations, register for a Forensics Learning Session.
For a deeper understanding of zero trust security, its principles, and best practices, read our latest whitepaper on Six best practices for effective implementation of Zero Trust Security.
Customer Success Stories
SISA ProACT MDR solution
Powered by Forensic Intelligence
Get Daily Updates on our Latest Threat Advisories