Is your Multi-Factor Authentication Deployed Correctly?

Executive Outlook

Now more than ever, understanding your true cyber posture is critical for navigating M&A transactions, offloading risk with insurance, and protecting enterprise value against the impacts of cyber-attacks. After record-setting payout volumes in cyber claims, insurance carriers are tightly evaluating organization’s culpability during the claims process. It is reasonable to expect a trickle-down effect with stricter scrutiny in other key areas that may impact your business, such as exclusions for representation and warranties insurance during M&A transactions and contract term negotiations driven by vendor security reviews.

The misconfigurations we've encountered weren't intended to create open vulnerabilities, they were implemented with good intention to reduce friction and simplify users’ experience with MFA. Although a delicate balance between security and end user experience is always needed, keep in mind that each concession of convenience may have unintended results on your business.

Get ahead of these issues by asking yourself and your IT representatives whether the below configurations are correctly implemented in your environment and what other exceptions or ease-of-use decisions have been made in the last few years.

 

Technical Perspective

Enduir identified four key MFA misconfigurations in recent attacks.

1. Lax conditional access policies

Conditional access policies allow organizations to find a happy balance between security and end user convenience. However, these decisions must be made with a full understanding of the impacts of the implemented policies. Enduir has seen the ramifications of poorly implemented conditional access policies for both physical and virtual locations lead to large scale ransomware attacks.

• Trusting IPs from a production cloud environment allowed an attacker to pivot from an end user workstation directly into the production cloud environment without secondary authentication. As a result, the environment, which hosted the client’s SaaS offering was rendered unavailable to their customers.
• Trusting IPs at corporate offices with required in-office presence meant users were hardly ever receiving MFA prompts, rendering the control worthless when a threat actor phished an administrative credential to exfiltrate data and launch a ransomware attack.

2. Infrequent re-authentication requirements

Another configuration often made in the name of convenience is how often MFA re-authentication is required. Although constant re-authentication for the most part is not a viable option due to the hinderance it would cause end users, the mean dwell time of attacks continue to downtrend as threat actor credential brokers and RaaS providers continue to evolve in efficiency. This may leave organizations exposed for prolonged periods of time without MFA enforcing a secondary factor.

• Since MFA re-authentication was set to 90 days, a threat actor was able to compromise credentials and launch an attack within 40 days from initial compromise without ever being prompted for a secondary factor.

3. Limited scope of systems that MFA is enforced on

In general, when speaking about MFA most people tend to think about securing their email credentials. Although this is certainly recommended as phishing continues to be a global issue, each business has its own unique set of systems outside of email that should also be protected.

• Lack of MFA on a password vault that hosted a Managed Service Providers (MSP) credentials resulted in compromise of the entirety of the MSPs customers.
• A partial implementation of single sign-on at a healthcare provider left the primary line of business application without MFA. The single sign-on implementation was delayed because of an executive decision that determined the implementation would be too disruptive to business. Subsequently, a line of business administrators account was compromised, and critical patient data was exfiltrated from the environment.

4. Use of phone number-based MFA

Downloading and configuring an authentication application like Microsoft Authenticator can be a hurdle for some end users. Often users are uncomfortable downloading company applications on their phones, or they simply prefer to use a text message since it’s easier. Regardless of the reason, using text or phone call based second factors diminishes the effectiveness of MFA due to sim swapping schemes.  

• A M365 administrator configured MFA to text his cell phone for a challenge code. After completing a successful phishing attack on the organization and additional social engineering, the Threat Actor was able to use his own phone to accept the MFA prompt and subsequently began changing wiring instructions for the company’s payroll vendor.