The most important recommendation we give our clients, partners, and insureds is enabling multi-factor authentication (MFA) to prevent cybersecurity incidents.
MFA is the process of requiring multiple “factors” in order to gain access to systems or data. Factors are one of:
Because passwords are so commonplace as an authentication mechanism, when we refer to MFA we’re almost exclusively referring to implementing a second type of factor. This has led to other common names such as two-factor authentication (2FA) and or two-step verification (2SV).
For security and IT professionals, enabling MFA is rarely a discussion. We enable it wherever possible - work accounts, personal devices, and everywhere we can.
But common scenarios in the enterprise IT environment and our daily lives can challenge our ability and willpower to achieve 100% MFA implementation:
The first two of these can be mitigated to some extent by network hygiene such as network and permission segmentation, logging and log reviews, and configuration management. Configuration management is also critical to preventing the “lockout experience,” which in addition to the business interruption, increases the perception among network users that IT and Security department make their lives difficult. Enterprises should endeavor to make MFA both seamless and part of the company’s security culture.
To demonstrate MFA’s importance, let’s consider a different lockout experience that’s not self-inflicted: ransomware. In the past few years, these attacks have become more and more frequent and effective. Strains like Maze Ransomware have even gone beyond simply locking files by leaking the stolen data it if the ransom is not paid. The reason multi-factor authentication is so important to preventing ransomware attacks is that many campaigns rely heavily on abusing stolen passwords from phishing links, data breaches, or even internal systems if an attacker has already infiltrated a network. These can be used to break into an enterprise’s “front door,” such as a server with RDP exposed to the internet or a corporate VPN designed to allow access for remote employees, or to hop from one victim to the next if the attacker gains a foothold via phishing.
Because ransomware has become a game of scale, many operations rely on automation built into the malware being used to attack an enterprise, which doesn’t tend to wait on multi-factor authentication prompts. Opportunistic attackers looking through a long list of possible victims may simply discard these from their list as failed and move on to softer targets. Even if we assume that a human or more determined adversary is behind the keyboard, they may think twice about using those stolen credentials in an environment with MFA enabled, since services such as Microsoft Office365 Azure Active Directory can be configured to alert users via push notifications to mobile devices. Although some users may click through the prompt, this will raise suspicions, most importantly with the IT and Security staff! This enables the enterprise to detect and mitigate the attack and from the attacker’s perspective, compromises their campaign. This is an important consideration for the attackers; human-guided ransomware operations such as Ryuk often infect victims over the course of multiple weeks (high labor cost), and ask for much higher ransoms than opportunistic operations. When their operations are compromised or slowed down by MFA it directly impacts the attackers’ bottom line, reducing the attacker’s financial incentives and steering them towards softer targets.
Microsoft has released lots of tooling recently for Office 365, Azure AD, and hybrid environments, all rolled up into their Microsoft Security Score. This also enables drill down into specific areas of interest, and not surprisingly, MFA is one of the most important! Resilience uses these data points, among others, to assess risk for insureds. Google’s GSuite also provides a wide variety of tooling and authentication methods for 2-step verification.
If a wholesale rollout for your enterprise seems too daunting, start small, but with the most important group of users - network administrator and Active Directory domain administrator accounts. These are the accounts that both targeted and opportunistic attackers relish, since they will enabled them to spread the farthest across the network.