Adrian Odds, marketing and innovation director at CDS, shared his thoughts on multi-factor authentication (MFA) failures and cyber resilience with Cyber Security Intelligence.
Two high-profile breaches in recent months remind us of an unfortunate truth: true cyber resilience means preparing for attackers to eventually find a way in.
In both breaches, attackers acquired not only ordinary employee login credentials, but also multi-factor authentication credentials meant to protect against the former theft. Their method for doing so? Old-fashioned persistence — specifically, repeated requests to one or more employees until someone finally gave in.
This isn’t to criticise any breached organisations that clearly take security seriously. Widespread MFA implementation is no small feat. Completing that step puts organisations far ahead of most industries’ cybersecurity curve.
Instead, these breaches send a clear message to organisations who treat MFA — or any other single security step — as a shortcut or stand-in for broader cyber resilience. Modern attackers are numerous and persistent enough that broader technological and cultural changes are needed to stop the attackers that inevitably make it past the network perimeter.
In my experience, organisations don’t tend to settle on cyber resilience shortcuts out of laziness. Instead, the impulse often comes from confusion about minimising and mitigating attacks that have already partially succeeded. The ongoing conversation around Zero Trust security is an excellent example — the average organisation hears so many different interpretations and pitches about Zero Trust that it’s difficult to tell which strategies fall under the umbrella.
The precise answer to that confusion will vary by organisation and industry. But in talking with clients and partners about cyber resiliency, I’ve seen some patterns emerge. Here are examples of the attack types related to the breaches mentioned above:
Again, these steps apply primarily to phishing-based MFA compromise breaches mentioned previously — but other resources can present a broader picture.
Learn more about Cloudflare's Zero Trust solution
Implementing such capabilities takes time. In the meantime, a robust organisational security culture can help fill the gaps.
Education and encouraging teams to over-report potential threats are essential steps. Removing the stigma and negative consequences of successful attacks is equally important.
A prime example of this can be found in an article from Cloudflare that covers their successful response to a phishing attack. The company uses the term “paranoid but blame-free” to describe this approach. When three Cloudflare employees correctly suspected they’d fallen for phishing, they alerted the security team immediately, knowing they would not be punished. As a result, the team could block the phishing site three minutes after the attack began and reset the leaked credentials shortly afterwards.
This combination of alertness and consequence-free reporting can go a long way towards the ultimate goal of cyber resilience — making employees at every level of an organisation feel invested in better security.
The approach described above is good practice, but additional layers are needed to further aid organisations wanting to improve their cybersecurity posture.
Hardware security keys provide next-level security. Businesses can provide physical keys to employees, meaning they don’t have to rely on a digital code to unlock services. Ultimately, this cannot be phished.
Hardware security keys leverage cryptography to verify and validate employee identity and prove the legitimacy of the URL login page. This works by only using the original domains of websites to generate the key – something that code–based MFA lacks.
This additional layer of complexity can replace the less secure MFA option that has its flaws. But it also requires employees to fully invest in using the keys and resist reverting to app-based codes when necessary.
This technology is one that security-conscious organisations need to have on their radar moving forward into 2023 and beyond.
There are no certainties in the practice of defining cyber security protocols, particularly as the threat landscape evolves at least as fast as, and often faster than the mitigations we create to defeat it.
However, as described above, it’s perhaps a combination of a proactive detection and avoidance stance, along with a culture that encourages the right attitudes and behaviours in employees and stakeholders, who are at the front line of these threats, that is most likely to deliver the resilience we all seek.
In the original article above, I did not talk about network separation and application isolation. These are two important techniques that can be used to increase cybersecurity.
Network separation is the process of creating separate physical or logical networks for different types of traffic. This method prevents sensitive data from being accessed or compromised by unauthorised users.
On the other hand, application isolation is the process of running different applications in separate environments. This can be achieved through virtualisation or containerisation, which can help prevent one compromised application from affecting other applications or the underlying system.
Cybersecurity experts believe that by using network separation and application isolation together, multiple layers of defence can be created, which reduces the risk of a security breach.
However, experts warn that no single solution can provide complete protection against cyber-attacks and that it's crucial to implement other measures such as keeping software and systems updated, using strong passwords and multi-factor authentication, and regularly conducting vulnerability assessments and penetration testing as well as the behavioural changes mentioned in the original article above.