Think Like a Hacker and Protect Your Business From MFA Attacks

Cyber attacks are constantly in the news, making us worry whether we've done enough to protect ourselves and our companies. While these news stories often do a great job of explaining the damage that hackers cause, they don't often tell us much about how the hackers pulled off their attacks. It pays to take a closer look at the methods they're using, however. Learning to think like a hacker can be valuable because it shows you how you can improve your cyber security before a hacker darkens your doorstep. Here's a look at multi-factor authentication (MFA) hacking, how cyber criminals use it to stage attacks, and how you can use this knowledge to stay safe in the face of increasing cyber threats.

What MFA is and how businesses use it

Passwords are the most popular form of authentication, but they can only do so much to protect your employees and your business on their own. MFA adds additional layers of authentication to the login process that can help prevent hackers from holding your systems hostage in a ransomware attack or making off with your most valuable information in a mobile data breach.  There are many kinds of MFA. The most common varieties include SMS token authentication, in which you receive a one-time passcode upon attempting to log in; email token authentication, in which you get the same kind of code in an email message; and biometric authentication, in which fingerprints or other unique biometric information are used to verify your login attempt. Some apps and sites also allow you to use authenticator apps to protect your account. A business password manager like LastPass offers more sophisticated forms of MFA, like adaptive authentication, which combine biometric and contextual intelligence to prove your identity. According to recent research from Microsoft, over 99.9% of the Microsoft accounts that are compromised every month don't have MFA enabled. Clearly, businesses have an opportunity to improve their cyber security with MFA. There's a caveat, however. Because hackers are always on the lookout for a novel route into your systems, they are also co-opting the MFA process to stage some of their most audacious attacks. 

How hackers use MFA to attack businesses

In cyber security, there is always a trade-off between convenience and security. Sadly, it applies to MFA, too. Although SMS authentication is the most popular form of MFA because it is the most convenient option, it is also the least secure choice. A hacker can easily impersonate a target's phone in what's called a SIM swap scam, easily gaining access to incoming texts and completing the login process - all without the victim ever knowing. From there, it's open sesame and the bad actor can often move around within the company's network undetected. If you're thinking that an MFA attack is unlikely to come your way, know that hackers are counting on that false sense of security. If an MFA attack hasn't hit your company yet, it could be coming for your vendors - and that could also put your company at risk. As Gartner reports, the SolarWinds supply chain attack was only discovered when a security professional found it suspicious that an employee wanted to register a second phone for MFA.  Hackers are also using MFA to sneak into corporate networks using pass-the-cookie attacks, taking advantage of the fact that many browsers and websites store authentication information in cookies. Users find these cookies convenient because they can use them to stay logged in to their accounts without having to repeatedly verify that they are who they say they are, but unfortunately this convenience comes at a cost when cyber criminals steal that information to impersonate them and stage attacks using their credentials. 

How to protect your business from an MFA attack

After reading these stories about MFA-enabled attacks, you might understandably be grumbling that hackers are the reason why we can't have nice things. They're not all-powerful, though. You can protect your business from these kinds of threats by learning how to think like a hacker. Just as hackers use MFA to attack individuals and companies, you can strengthen your defenses by understanding how these attacks take place and responding accordingly. Adopt a zero trust approach to cybersecurity. Hackers exploit areas of trust in your security architecture as well as in your behavior. That SolarWinds security professional only discovered the supply chain attack because he found something fishy about the request for a second MFA-registered phone. Even the best security tools cannot protect a company that doesn't keep a watchful eye out for suspicious behaviors and activities. If you see something dodgy, investigate it. Take care with your MFA implementation. A poor or half-baked MFA implementation will not automatically give your business the protection it needs. With this in mind, look for tools that combine MFA with adaptive authentication techniques that can more accurately identify a user's identity.  Leave no MFA stone unturned. According to CSO Online, many businesses have excellent MFA in place, but they still use SMS authentication for the account recovery process. Make sure your MFA implementation addresses all authentication processes, not just the most obvious ones. Layer your cyber defenses. Hackers know that, more often than not, they have the run of the place once they've successfully logged into one of your accounts. Here, too, you need to think like a hacker to stop them in their tracks. Don't assume that MFA can protect you on its own. Rather, add additional cyber defenses to your systems. For example, some companies are moving toward a continuous authentication model in which users are asked to re-verify their identity at regular intervals. Offer regular security awareness trainings. Businesses need to design systems with zero trust in mind, but that will only get them so far. Your employees must also have a zero trust mentality when it comes to cyber security at work. This is even more important now that so many professionals are working from home. Teach them how to spot suspicious behavior and flag potential attacks in regular security awareness trainings.

Think like a hacker and protect your business from cyber attacks

Hackers are becoming more brazen and ambitious all the time, using every tool at their disposal to extort businesses in ransomware attacks and even threaten entire communities in water supply hacks. While their crimes are concerning to anyone who wants to stay safe on the internet, they also provide valuable clues on how you can strengthen your cyber defenses. By learning how to think like a hacker, you will have a far better chance of preventing cyber criminals from doing their worst damage.Now that cybersecurity insurance providers are mandating that multi-factor authentication be in place as a requirement to receive coverage from a cyberattack, understanding how to safeguard your MFA is as critical as ever.  Discover how LastPass' adaptive multi-factor authentication can protect your business.