Beyond MFA – Protecting users from modern attacks

Cyber security is a cat and mouse game, every time defenders have a new way to block something; the attackers are working hard to have another way in. We’ve seen some unbelievable advancements in technology in recent years to combat this, and an industry that is the fastest growing area in IT has been created. Industry giants such as Microsoft have even taken steps to force organisations to implement certain controls to limit damage, e.g. depreciating legacy standards and enforcing stricter controls. With AI and everything else that is on the horizon, the quality of defence will increase; but the same is true for the risks we all face. 

We’ve seen in the last year alone a sizeable shift in multi-factor authentication (MFA). A long–standing technology, but not something that saw significant uptake in many organisations until very recent years. MFA is a fantastic advancement, the premise of a person proving that the request came from them by more than a password is simple yet effective. We all take it now for granted and believe that this will absolutely stop us from becoming a victim; surely if I have to approve anything that isn’t in front of me then the risk is eliminated? As you can imagine, it is never that simple! 

Our dedicated Cyber team have worked on several intrusions whereby a customer is protected using MFA and yet an attacker has still managed to login; access email, send emails out, download data from SharePoint and waiting for a suitable time to trigger an attack. That attack may be to send emails with malicious links to high profile clients; attempting to then pivot to their systems or it may be to solicit funds from a customer that is to a bank account controlled by the attacker. After all, if the email came from a legitimate address and was well written; not a lot of people would confirm those details before paying. 

A real world example 

In a recent attack our team were asked to assist an organisation that had almost transferred a significant amount of money to a supplier. The request email had looked legitimate, headed paper was used for the attachment that requested funds and the details were all very specific and accurate. If it had not been for a quick-thinking member of staff double checking the bank details, this could have been disastrous.  

But how has something like this happened? The organisation used MFA and the details were all so specific, it wasn’t a simple phishing email asking for a few pound. The team’s investigation showed that around three months earlier, a member of staff had been sent an email that contained a link that the user clicked; believing that they were signing into Office 365 they continued – however, at this point the attacker’s content was able to steal the user’s token. A token is used to grant access amongst other things, in this case the token had already passed the MFA check so would not need to be re-checked. At this point, the attacker can then login as they wish without needing to verify MFA or even the user’s credentials. 

The attacker then spent time reading emails, accessing data and building up a picture over two months to identify an opportunity. All whilst the organisation had no idea that this was happening.  

What could have been done? 

Whilst Microsoft’s 365 services showcase some data on items that may be suspicious, the volume is vast, and correlation of events is lacking. This is where proactive systems come into place, significant amounts of data are ingested into a system that can analyse, correlate and identify items that require human investigation; even from fragments that on their own may not be suspicious; but when put together form a dangerous pattern. 

A multi-layered approach to Cyber security is unfortunately becoming a necessity in today’s world. Gone are the days when anti-virus and a bit of Cyber security training during employee induction will suffice. Even insurance companies have started stating that items considered only applicable to enterprises a few short years ago, are now required to achieve coverage on a policy. 

Here at Xperience, we specialise in understanding an organisation’s individual risk landscape and tailoring a regiment of testing, monitoring, securing, training, and re-testing. From penetration testing through to 24x7x365 monitoring of every data point on a network; our services can scale from enterprise through to SME organisations.