Multi-Factor Authentication (MFA) failures show there’s no shortcut to cyber resilience (Guest blog by CDS)
Two recent high-profile breaches over the past two months remind us of an unfortunate truth: true cyber resilience means preparing for attackers to eventually find a way in.
In both breaches, attackers acquired not only ordinary employee login credentials, but also the multi-factor authentication credentials meant to protect against the former theft. Their method for doing so? Old-fashioned persistence — specifically, repeated requests to one or more employees until someone finally gave in.
This isn’t to criticise any of the breached organisations, who clearly take security seriously. Widespread MFA implementation is no small feat. Completing that step puts the organisations far ahead of most industries’ cybersecurity curve.
Rather, these breaches send a clear message to organisations who treat Multi-Factor Authentication (MFA) — or any other single security step — as a shortcut or stand-in for broader cyber resilience. Modern attackers are numerous and persistent enough that broader technological and cultural changes are needed in order to stop the attackers that inevitably make it past the network perimeter.
Reducing confusion — and making resilience more concrete
In my experience, organisations don’t tend to settle on cyber resilience shortcuts out of laziness. Rather, the impulse often comes from confusion about what it actually takes to be able to minimise and mitigate attacks that have already partially succeeded. The ongoing conversation around Zero Trust security is an excellent example — the average organisation hears so many different interpretations and pitches about Zero Trust that it’s difficult to tell which strategies actually fall under the umbrella.
The precise answer to that confusion will vary by organisation and industry. But in talking with clients and partners about cyber resiliency, I’ve seen some patterns emerge. Here are examples for the attack types related to the aforementioned breaches:
- Successful organisations find ways to reduce the potential for employees to make the ‘wrong decision’ during an attack. For example, cloud email security can remove malicious emails from the inbox before a human ever sees them, and browser isolation can also isolate a suspicious site, ensuring local conditions remain benign.
- When employees make the ‘right decision,’ or the system rejects a malicious message, I see successful organisations use Secure Web Gateway (SWG) services to block malicious domains and allow or block certain IPs — especially with many employees working from their home network. Threat intelligence feeds these services to help ensure humans don’t reach known malicious content.
- When an employee does make the wrong decision and mistakenly provides their credentials, successful organisations still prevent an active session controlled by the attacker from starting. Phishing-resistant MFA (like physical security keys) implemented through Zero Trust Network Access (ZTNA) can help here.
- Finally, user-centric, consolidated logging can support incident response teams should a successful attack still occur.
Again, these steps apply primarily to phishing-based MFA compromise breaches mentioned previously — but other resources can present a broader picture.
The right culture supports resilience
Implementing such capabilities takes time. In the meantime, a strong organisational security culture can help fill the gaps.
Education, and encouraging teams to over-report potential threats are important steps. It’s equally important to remove stigma and negative consequences for successful attacks. In a blog post covering their successful response to a phishing attack, our partner Cloudflare uses the term “paranoid but blame-free” to describe this approach. When three Cloudflare employees correctly suspected they’d fallen for phishing, they alerted the security team immediately, knowing they would not be punished. As a result, the team was able to block the phishing site three minutes after the attack began and reset the leaked credentials shortly afterward.
This combination of alertness and consequence-free reporting can go a long way towards the ultimate goal of cyber resilience — making employees at every level of an organisation feel invested in better security.
Help to shape and govern the work of techUK’s Cyber Security Programme
Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.
*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.
Upcoming events
Get involved
All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.