Prominent findings suggest an escalating involvement of the Ministry of Foreign Affairs in significant cyber-attacks.
In a revealing report by Cisco Talos incident response teams, it was found that nearly half of all security incidents encountered during the first quarter of this year were linked to the use of Multifactor Authentication (MFA). The findings, released on Tuesday, highlight the importance of securing this essential cybersecurity measure.
Nick Biasini, head of outreach at Cisco Talos, emphasised the need for a secure and effective implementation of MFA. He warned that basic MFA with SMS-based notifications, while common, is considered the least secure.
To improve MFA security, organisations can adopt several approaches. Firstly, stronger MFA factors beyond push notifications should be prioritised. Hardware security keys, such as YubiKey and Titan Security Key, provide near-impenetrable defenses against phishing and automated attacks. Authenticator apps generating time-limited codes and hardware tokens are generally more secure than SMS or push notifications.
Secondly, adaptive and contextual MFA can be implemented. This approach dynamically assesses risk based on contextual data, making it harder for attackers to bypass MFA without raising flags. This reduces reliance on static push approvals and can tighten verification when suspicious activity is detected.
Thirdly, MFA should combine at least two factors from different categories, such as something you know (password, PIN), something you have (authenticator app, hardware token), and something you are (biometrics like fingerprint or face recognition). Even if one factor is compromised, attackers cannot access accounts without the other factors.
Fourthly, user education and strong policies are crucial. Since 60% of breaches involve human factors, ongoing user training to recognise fraudulent MFA prompts is vital. Policies against blindly approving push notifications and encouraging verification of the login attempt can reduce successful bypass attempts.
Fifthly, organisations should avoid SMS-based MFA when possible. SMS codes are vulnerable to interception or SIM swapping, so authenticator apps or hardware tokens should be preferred.
Lastly, regular monitoring and incident response are essential. Continuous monitoring for anomalous MFA activity, coupled with swift investigation and revocation of compromised credentials, limits the window for attackers exploiting MFA weaknesses.
Unfortunately, social engineering techniques against IT departments are also being used by attackers. In some instances, third-party contractor compromises are observed as a method used by attackers to bypass MFA.
In the attack on Change Healthcare, MFA was not set as the default. Poorly configured MFA was a factor in two of the biggest attack campaigns so far in 2024: a ransomware attack against Change Healthcare and dozens of attacks against Snowflake customers. In these attacks, impacted customers did not have MFA configured.
Users did not properly implement MFA in 1 in 5 Cisco Talos engagements. Attackers are using stolen authentication tokens from employees in their attempts to bypass MFA.
The use of MFA could potentially help prevent successful penetration of network defenses by attackers. Cisco Duo analysed a dataset of 15,000 push-based attacks from June 2023 to May 2024. In 25% of these incidents, incident response specialists responded to fraudulent MFA push notifications sent by attackers.
In summary, strengthening MFA security requires using strong possession factors like hardware keys, leveraging adaptive authentication techniques, combining multiple factor types, educating users about fraudulent push notifications, and avoiding weaker methods like SMS OTPs. These combined measures can significantly reduce the risk of MFA bypass and fraudulent approvals.
- To combat increasing cybersecurity incidents, such as ransomware attacks, it's crucial for organizations to strengthen their implementation of Multi-Factor Authentication (MFA), prioritizing stronger MFA factors and avoiding weaker methods like SMS-based notifications.
- Adhering to a combination of strong MFA factors, like the use of hardware security keys and software authenticator apps, can provide near-impenetrable defenses against phishing and automated attacks, reducing the risk of MFA bypass and fraudulent approvals.
