Last week Cisco released a security indecent statement and accompanying blog about a breach that occurred in late May where non-sensitive data was stolen. The initial attack was focused on an employee's personal google account, where their credentials were stored via a password manager.
Like many of the recent breaches we have seen, threat actors used an increasingly popular method to bypass the MFA once the employee’s credentials were obtained. Prompt bombing, sometimes called MFA fatigue, is when threat actors deploy countless push notifications to the target mobile device. Prompt bombing relies on annoyance and inconvenience. The attackers hope that the high volume of push notifications at a time when the target is asleep will trick them into approving an MFA push notification or accidentally doing so by trying to silence their device.
Once the attackers bypass the MFA, the most common next step is enrolling new devices for MFA, which is precisely what they did in this situation. They also deployed a variety of post-exploitation tools.
As a form of social engineering, prompt bombing is a difficult tactic to defend against. Research and past breaches both show that human error is one of the most significant hurdles for an organization to overcome. Roughly ¼ of all data breaches can be attributed to user error.
There is no malice on the user's part; that’s why prompt bombing is so insidious. We can all understand the target's urgency to end the bombardment of dings and the repeated light-up of their phone in the middle of the night.
So, how do you defend against an assailant in the middle of the night?
A tale as old as, well, MFA. Mobile-based multi-factor authentication solutions will not stop phishing attacks. As MFA becomes increasingly adopted, threat actors will become more and more determined to find ways to bypass it.
As we have mentioned in previous blogs, phishing-resistant MFA is one of the most integral components of creating a truly zero-trust architecture. This framework was heavily advocated for in January by the White House in an OMB memo, “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles.”
Twosense MFA products are built on zero trust principles and are unique because the user does not actively participate in the MFA challenge. Both products, Passive MFA and Continuous MFA use machine learning to drive passive biometrics, which completes the authentication process. Biometric factors are unique to each individual user, making them impossible to fake. This approach is completely phishing-resistant because there are no keys or codes that can be handed to an attacker in the event of a phishing attempt.
For organizations looking for even more security beyond the possibility of threat actors bypassing MFA, the Continuous MFA product can also detect a malicious user within one minute should they remote into a machine with the Twosense agent installed.
As attackers continue to find new ways to circumvent security measures, it is crucial that organizations stay one step ahead. With 3 simple steps, admins can deploy MFA everywhere, on every app, all the time, and help safeguard themselves against attacks such as these.
Schedule your demo with our team here.