Small and midsize businesses (SMBs) are at risk of targeted and opportunistic cyberattacks. However, unlike large enterprises, they generally don’t have the budget or in-house expertise to roll out large cybersecurity programs. Multifactor authentication (MFA) has become a technology many SMBs leverage to improve their defenses. It can be inexpensive and effective.
That said, adversaries have adapted their tactics, techniques, and procedures to bypass some types of MFA and access critical data. This has left some SMBs again vulnerable. Nevertheless, MSP can help these SMBs strengthen their security postures. They can educate them about MFA bypass techniques and ensure that their MFA choices are strong.
While businesses don’t need all the latest security controls to fight cyber threats, MFA alone is insufficient. They must strengthen their overall defenses to face the evolving threat landscape.
Threat Actors Are Set on Undermining MFA
Cybercriminals find infiltrating business networks lucrative, incentivizing them to learn to exploit commonly used security controls. Properly implemented MFA helps protect sensitive data and payment information, but not all MFA tools are equal.
Joe Toomey
Today’s most common MFA bypasses leverage phishing-as-a-service tools which generally target time-based one-time password (TOTP) MFA. In these cases, a threat actor sets up a phishing site, tricking users into visiting it and entering their credentials and MFA tokens.
These phishing tools are very convincing. The prompts look like the real prompts users get when using legitimate business applications. If this tricks a user, the threat actor can use the credentials and MFA token to log in to their real target.
Other techniques that should be avoided include SMS-based MFA, which is by far the weakest type of MFA because it is susceptible to SIM-swapping attacks. MFA alert fatigue attacks, where users are overwhelmed with authentication requests, are also becoming a more common threat vector used to bypass MFA. These attacks target push notifications, so businesses should refrain from using push notifications or ensure their users understand how to respond to these types of attacks.
Defense in Depth: Layering Security Controls to Strengthen MFA
It’s common for businesses to use the most accessible tools, but careful implementation and configuration are hallmarks of truly resilient organizations. MFA may have weaknesses, but it’s still a good start; if it fails, you’re no worse off than if you hadn’t implemented it. But, given that MFA has become easier to bypass, a layered approach is key to ensuring a business is protected.
Some other protections include:
- If an organization still has on-premises data or software systems, implementing zero-trust network access instead of a VPN is an excellent way to add further protection. A managed service provider can help.
- Implementing FIDO2 MFA is a more robust solution that uses biometric identification and addresses the weaknesses used in TOTP bypasses. If FIDO2 is too big an investment, companies using an exclusively Microsoft ecosystem can get some of these benefits using MS token protection.
- Layering in a dedicated managed detection and response (MDR) system further enhances business protection, enabling organizations with limited resources to ensure that critical security alerts are viewed and actioned. MDR is one way for small businesses to better secure themselves without having to hire a dedicated security team. A top-tier MDR tool can help SMBs sleep at night knowing they have a team protecting their crown jewels and on standby to help with any necessary remediation.
MDR can reduce attack response time by more than 50%, making businesses and their security personnel far more agile when facing attacks. The approach is proving so successful that Gartner forecasts the number of organizations using MDR will double through 2025. Augmenting MFA with MDR’s human ability better positions businesses to continually identify potential threats, contextualize security concerns, and mitigate attacks before they happen.
An SMB’s Best Bet at Defense
MFA has been a first line of defense for protecting identity and access. But cybercriminals have found ways to bypass it — and they’ll keep innovating.
MSPs that want to help their SMB clients stay ahead of cyberattacks need to strengthen their MFA implementation. They also must layer their defenses to avoid falling victim to MFA bypasses and the breaches that can follow.
An organization’s best bet is a thoughtful, tailored approach to fighting infiltration. This requires more than just security tools and services. It also requires training the workforce in cyber hygiene basics and empowering security professionals to defend the company’s assets.
Joe Toomey is head of security engineering at Coalition Inc., where he oversees the company’s scanning engine, coalition control, and security analyst teams. He previously held the roles of senior director of engineering at VMware Carbon Black and security strategist for IBM Rational.
Image: iStock
