X-Force Incident Response and Intelligence Services (IRIS) has responded to multiple security incidents where multifactor authentication (MFA) was not implemented—but where implementing MFA might have significantly reduced the impact of the incident. Such incidents have even included destructive malware attacks, resulting in millions of dollars in losses and the irreversible destruction of thousands of machines on the network. In fact, unauthorized use of credentials accounted for 29% of all attacks observed by X-Force IRIS in 2019. Employing MFA on all remote access points can significantly decrease the likelihood of an attacker successfully using stolen credentials to compromise a network.
Even so, threat actors are continually searching for ways to circumvent security controls, and MFA is no exception. We are in many ways seeing MFA as the next battleground of the threat actor-network defender conflict, and malicious actors are occasionally gaining the upper hand and succeeding in circumventing MFA controls. In other cases, configuration or implementation errors open the door for attackers who would otherwise be stopped by MFA.
This blog will explore some of the methods we have observed attackers using to sidestep MFA controls or take advantage of MFA misconfiguration. In addition, we will consider some actions organizations can take to more effectively implement MFA and up their game against this malicious activity.