If 2022 taught cybersecurity anything, it’s that multi-factor authentication (MFA) must be the first line of defense in securing an organization—it just can’t be the last line of defense.
Last year, we saw major, headline-grabbing attacks that successfully evaded MFA. A state-sponsored group breached an NGO in March 2022. Then LAPSUS$ breached a tech provider before then moving on to Uber, among several other high-profile attacks last year.
Some of those attacks were sophisticated. Some weren’t. But they all offer important lessons on how and why cybersecurity must protect the entire identity lifecycle.
I’ll be detailing the steps that went into these MFA attacks and the main takeaways organizations should learn from them at RSA Conference tomorrow, April 25, at 9:40 AM PT.
One hack that I won’t be discussing is the SolarWinds breach. And while it won’t be in my presentation, the SolarWinds attack does demonstrate the same need to defend the entire identity lifecycle. In that case, threat actors used SolarWinds to launch a supply-chain attack and gain access to federal agencies, cybersecurity firms, and even Microsoft for months.
The SolarWinds breach demonstrated that if an organization doesn’t prioritize its identity security, then threat actors will. In the post-mortem of the attack, researchers found that the attackers bypassed MFA by using an out-of-date web-cookie technology that had been misclassified as MFA.
But that wasn’t the only vulnerability the attackers exploited: they also stole passwords, used SAML certificates to “enable identity authentication by cloud services,” and created “new accounts on the Active Directory server.” Each step gave the attackers more control and methods to move laterally throughout the SolarWinds Orion network—and then on to its customers.
There was no single identity Achilles heel that the hackers prioritized. Instead, they “primarily focused on attacking the identity infrastructure [emphasis added],” because “[i]dentities are the connective tissue that attackers are using to move laterally.”
SolarWinds—and 2022’s successful MFA attacks—demonstrated why organizations must understand that the “identity infrastructure is a target.”
Don’t get me wrong: MFA is still the best first line of defense. It protects against the most frequent password attacks, including social engineering tactics like phishing and credential stuffing, eavesdropping attacks, brute force attacks, and more.
But MFA alone isn’t sufficient in preventing risks or responding to threats. MFA must work in coordination with additional capabilities across the identity lifecycle to keep organizations safe.
The Colonial Pipeline ransomware attack demonstrates both how threat actors attack gaps in an organization’s identity infrastructure and the vital role that MFA still plays: DarkSide breached Colonial Pipeline’s systems using an orphaned VPN account that was no longer in use.
That orphaned account served no purpose for Colonial Pipeline—it was a security liability only. A good identity governance and administration (IGA) program would have removed that account from the company’s directory entirely.
But the governance component was just one failing: Colonial Pipeline’s orphaned VPN account also wasn’t protected by MFA. Likely either an IGA capability or MFA would have prevented the breach from occurring. Both together would have made for a much stronger, smarter cybersecurity architecture.
MFA is still one of the most important parts of every organization’s security architecture. But it provides more value—and creates stronger cybersecurity—when it works in coordination with other security components across the identity lifecycle.
There are so many vulnerabilities across the identity lifecycle. And, unfortunately, threat actors are adept at exploiting all of them.
While Colonial Pipeline and SolarWinds demonstrated some of those vulnerabilities, LAPSUS$ and a state-sponsored hacker found other ways to exploit weaknesses across identity to breach organizations in 2022.
We can learn a lot from each identity attack—and find ways to prevent the next one. If you can, please do join my RSAC session tomorrow to learn more about these vulnerabilities, and what cybersecurity can do to address them.
###
Join Dave Taku’s RSA Conference session, “Anatomy of the Attack: The Rise and Fall of MFA” tomorrow, April 25 at 9:40 AM PT.
