Multi-Factor Authentication Is No Shortcut To Cyber Resilience

Uploaded on 2023-01-04 in TECHNOLOGY--Resilience, FREE TO VIEW

Two high-profile breaches in recent months remind us of an unfortunate truth: true cyber resilience means preparing for attackers to eventually find a way in.

In both breaches, attackers acquired not only ordinary employee login credentials, but also multi-factor authentication credentials meant to protect against the former theft. Their method for doing so? Old-fashioned persistence - specifically, repeated requests to one or more employees until someone finally gave in.

This isn’t to criticise any breached organisations that clearly take security seriously. Widespread MFA implementation is no small feat. Completing that step puts organisations far ahead of most industries’ cybersecurity curve. Instead, these breaches send a clear message to organisations who treat MFA - or any other single security step - as a shortcut or stand-in for broader cyber resilience.

Modern attackers are numerous and persistent enough that broader technological and cultural changes are needed to stop the attackers that inevitably make it past the network perimeter.

Reducing Confusion & Making Resilience More Concrete

In my experience, organisations don’t tend to settle on cyber resilience shortcuts out of laziness. Instead, the impulse often comes from confusion about minimising and mitigating attacks that have already partially succeeded. The ongoing conversation around Zero Trust security is an excellent example — the average organisation hears so many different interpretations and pitches about Zero Trust that it’s difficult to tell which strategies fall under the umbrella.

The precise answer to that confusion will vary by organisation and industry. But in talking with clients and partners about cyber resiliency, I’ve seen some patterns emerge. Here are examples of the attack types related to the breaches mentioned above:

  • Successful organisations find ways to reduce the potential for employees to make the ‘wrong decision’ during an attack. For example, cloud email security can remove malicious emails from the inbox before a human sees them, and browser isolation can isolate a suspicious site, ensuring local conditions remain benign.
  • When employees make the ‘right decision,’ or the system rejects a malicious message, I see successful organisations use Secure Web Gateway (SWG) services to block malicious domains and allow or block specific IPs — especially with many employees working from their home network. Threat intelligence feeds these services to help ensure humans don’t reach known malicious content.
  • When an employee does make the wrong decision and mistakenly provides their credentials, successful organisations still prevent an active session controlled by the attacker from starting. Phishing-resistant MFA (like physical security keys) implemented through Zero Trust Network Access (ZTNA) can help here.
  • Finally, user-centric, consolidated logging can support incident response teams should a successful attack still occur.

Again, these steps apply primarily to phishing-based MFA compromise breaches mentioned previously - but other resources can present a broader picture.

The Right Culture Supports Resilience

Implementing such capabilities takes time. In the meantime, a robust organisational security culture can help fill the gaps. Education and encouraging teams to over-report potential threats are essential steps. Removing the stigma and negative consequences of successful attacks is equally important.

A prime example of this can be found in an article from Cloudflare that covers their successful response to a phishing attack. The company uses the term “paranoid but blame-free” to describe this approach. When three Cloudflare employees correctly suspected they’d fallen for phishing, they alerted the security team immediately, knowing they would not be punished. As a result, the team could block the phishing site three minutes after the attack began and reset the leaked credentials shortly afterwards.

This combination of alertness and consequence-free reporting can go a long way towards the ultimate goal of cyber resilience - making employees at every level of an organisation feel invested in better security.

What More Can We Do To Stay Cyber-Secure?

The approach described above is good practice, but additional layers are needed to further aid organisations wanting to improve their cybersecurity posture. 

Hardware security keys provide next-level security. Businesses can provide physical keys to employees, meaning they don’t have to rely on a digital code to unlock services. Ultimately, this cannot be phished. Hardware security keys leverage cryptography to verify and validate employee identity and prove the legitimacy of the URL login page. This works by only using the original domains of websites to generate the key – something that code–based MFA lacks.

This additional layer of complexity can replace the less secure MFA option that has its flaws. But it also requires employees to fully invest in using the keys and resist reverting to app-based codes when necessary. 

This technology is one that security-conscious organisations need to have on their radar moving forward into 2023 and beyond. 

Attitudes & Behaviours Are As Crucial As protocols & Technologies

There are no certainties in the practice of defining cybersecurity protocols, particularly as the threat landscape evolves at least as fast as, and often faster than, the mitigations we create to defeat it. 

However, as described above, it’s perhaps a combination of a proactive detection and avoidance stance, along with a culture that encourages the right attitudes and behaviours in employees and stakeholders, who are at the front line of these threats, that is most likely to deliver the resilience we all seek

Adrian Odds is Marketing & Innovation Director at CDS

You Might Also Read: 

Blame The Boss For Cyber Attacks:

 

« Security Risks In 5G Mobile
EU Fines Meta $416m »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Orolia

Orolia

Orolia are experts in deploying high precision GPS time through network infrastructure to synchronize critical operations.

Telos

Telos

Telos offers cybersecurity solutions and services that empower and protect the world’s most security-conscious enterprises.

KnowBe4

KnowBe4

KnowBe4 is an integrated platform for security awareness training combined with simulated phishing attacks.

Subex

Subex

Subex leverages its award-winning telecom analytics solutions in areas such as Revenue Assurance, Fraud Management, Asset Assurance and Partner Management, and IoT Security.

IDnow

IDnow

IDnow is the world’s fastest, most flexible and most secure identity verification platform, delivering instant verification of the identity documents used by 7 billion people.

Anect

Anect

Anect is a leading provider of ICT security and services for hybrid and cloud solutions.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Italtel

Italtel

Italtel is a multinational ICT company that combines networks and communications services with the ability to innovate and develop solutions for digital transformation.

Netlawgic Legal Services

Netlawgic Legal Services

Netlawgic is exclusively focused on delivering cyber law solutions to the industry. We provide our clients with specialized attention and problem solving in all aspects of cyber law.

OffSec

OffSec

OffSec have defined the standard of excellence in penetration testing training. Elite security instructors teach our intense training scenarios and exceptional course material.

PricewaterhouseCoopers (PwC)

PricewaterhouseCoopers (PwC)

PricewaterhouseCoopers is a multinational professional services network of firms headquartered in London, United Kingdom and operating in 157 countries.

Responsive Technology Partners

Responsive Technology Partners

Responsive Technology Partners provides superior IT support services including cybersecurity and compliance, telephony, cloud services, cabling, access control, and camera systems.

Catalogic Software

Catalogic Software

Catalogic helps clients backup, recover, manage, and protect their data across their enterprise and cloud environments with Smart Data Protection solutions.

LogicMonitor

LogicMonitor

LogicMonitor provides SaaS-based IT infrastructure monitoring services for on-premises and multi-cloud environments.

Cyberplc

Cyberplc

Cyberplc is a global cybersecurity consulting firm providing services to government, the public sector and enterprises.

Cyber Explorers

Cyber Explorers

Cyber Explorers is a fun, free and interactive learning platform for future digital superstars. An exciting addition to UK curriculum delivery or after school activities.