December 19, 2019//Tony Howlett
While it’s no surprise that nearly every major data breach of the last few years has involved the use of privileged credentials, it is surprising that one of the most effective security measures remains underutilized. Cyber criminals are looking for the most vulnerable access point, and then once inside, they want more privileges than the last account they hacked. They are always attempting to “escalate privilege” by hopping up the chain to higher and higher level accounts to gain the most access and do more damage. And even though multi-factor authentication (MFA) is considered a basic defense strategy, it’s particularly useful in defending against the theft of privileged credentials.
Defending privileged accounts
If access to privileged accounts is key to executing a successful hack, how can we deny attackers access to them? An effective defense is building an effective “kill chain” of roadblocks and traps, each designed to stop a hacker in their tracks and “kill” their attack. For privileged accounts, this involves a multilayered defense of policies, procedures, protections, and technical controls. This includes good perimeter defenses via firewalls and IPS systems and strong A/V and endpoint protections.
Even with those protections, hackers may still be able to obtain privileged login credentials via phishing email, social engineering, or even resulting from a previous or different breach. Hackers often try credentials found in one breach database on other sites knowing that most people (wrongly) use the same credentials on many sites. Once they have a privileged login, there is little to stop them from logging in directly as a valid user and gaining access to all that login provides. At this point, firewalls, IDS/IPS systems, and endpoint protection won’t help you because the login will be seen as a valid attempt. But, with MFA in place, you can put a strong, and probably terminal, wall between the hacker and the high-level access they seek.
The importance of implementing MFA
Multi-factor authentication adds an effective layer of security, and applications that implement MFA are particularly easy to use. When implemented correctly, multi-factor authentication can make it significantly more difficult for a hacker to acquire legitimate credentials to carry out malicious activities. Despite this, implementation remains relatively low.
True MFA requires the factors to be from different categories. So, it seems like a lot of the times true MFA isn’t implemented. For example, a password and a challenge question (like your grandma’s maiden name) wouldn’t be considered true MFA since it uses two factors from the “something you know” category. Without using true MFA, a hacker can still easily gain access to accounts and more. And what’s worse is that, according to Microsoft, less than 10% of users per month use MFA, but the rate of compromised accounts that use MFA is less than 0.1%.
With MFA in place, an attacker with only a valid login/password pair is still missing something to gain access. Whether it is a physical token from the “something you have” group or a biometric signature from the “something you are” group, it’s going to be hard to get either of those things, unless we’re in a movie. Implementing MFA requires a physicality that most hackers just don’t have access to. For this reason, MFA can stop most credential-based attacks on privileged accounts.
Implement more than just MFA
It’s important to note that MFA is not a silver bullet for all possible attacks on privileged accounts. Bad implementations of MFA can reduce or eliminate its effectiveness. For instance, using bad tech for facial recognition or fingerprint scans and then allowing fallback or fail-safe to single-factor authentication can be easily exploited.
MFA should be implemented with other protections for privileged accounts, including Privileged Access Management (PAM) for internal credentials and Vendor Privileged Access Management (VPAM) for third-party vendors, and granular logging and audit functions for any privileged account activities.