Twosense Blog

Phishing-Resistant Continuous MFA + 1-Minute Threat Detection

Written by Twosense | Jul 5, 2023 3:14:44 PM

The average breach takes 3-6 months of recon before an attacker makes their move.  According to IBM, it takes an organization roughly 197 days to identify a breach and then another 70 days to contain it. Twosense Continuous MFA enables contact centers to detect a malicious user within one minute. In an ever-changing digital landscape, it is imperative that organizations are one step ahead of threat actors. 



BPOs Are At High Risk

BPOs are particularly vulnerable to being a target of breaches because attackers know that they are a back door to their customers’ infrastructure. While targeting contact centers is not new, it has become increasingly common. An example is the Okta breach that occurred in 2021 when a threat actor gained access to sensitive information via an agent at Sitel’s contact center, compromising some of their client’s information. 

With contact centers seen as a treasure trove of data, they are constantly at risk of a variety of tactics, such as RDP attacks, MFA prompt bombing, and collusive threats from compromised internal employees. 


RDP Attacks Are Becoming More Common

A Remote Desktop Protocol Attack is a type of data breach that occurs via a user’s remote desktop protocol (or RDP). An RDP allows one computer to connect to another or a network without direct contact.  With contact centers facing identity security challenges, a lack of proper security measures, such as multi-factor authentication, leaves contact centers vulnerable to these attacks.


Collusive Threats Are Hard To Prevent

Collusive threats are a  subset of malicious insider threats where one or more employees collaborate with an external threat actor, often for illicit profit, to compromise an organization. Although this scenario has largely been kept out of the public eye, it is happening, and the consequences are disastrous.



The Anatomy Of A Data Breach

As data breaches become increasingly common and threats constantly evolve, so must security practices. In 2022 contact centers saw a significant increase in cyber attacks, with roughly 4,100 publicly disclosed data breaches occurring and 22 billion records being exposed.

What is a data breach? A data breach is when security infrastructure is bypassed in order to gain access to a network or system in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an unauthorized individual to do so. Other terms are unintentional information disclosure, data leak, information leakage, and data spill.

How data breaches happen:

Research: The cybercriminal looks for a weakness in the target's people, systems, or networks. This may include conducting research on the company’s employees and infrastructure.  This phase can take months before an attacker gains the credentials they need.

Credential Theft: The cybercriminal obtains stolen credentials through cybercriminal marketplaces or via social attacks like a phishing email message, spam that carries malware, or even obtaining physical access to the company's premises by dressing up as office housekeeping staff, among others. 

Lateral Movement: The attacker uses infrastructure, system, and application weaknesses as well as techniques like SQL injection, vulnerability exploitation, session hijacking, and the like in order to penetrate the targeted organization's network further. This phase can also take months before the attacker finds the valuable data they want.

Exfiltration: The cybercriminal extracts and transmits data back to him. This data can be proprietary or sensitive in nature or can comprise credentials that he may need for another attack or to get higher privileges inside his target’s network. The cybercriminal may have to stage more than one attack to get enough information and gain a foothold in targeted systems to keep transmitting data.

Researchers at Stanford University found that 88% of security breaches had an element of human error. The same research determined that 25% of breaches resulted from social engineering or phishing emails. This highlights why traditional MFA cannot provide contact centers with the necessary security. While agents may not intend to fall for a phishing email or approve a prompt bombing MFA challenge, they are still human and will inevitably make a mistake. 


Notable Breaches That Could Have Been Prevented with Continuous MFA

Sitel/Okta -Lapsus$ 
The Sitel/Okta breach occurred when Lapsus$ used social engineering to gain access to a customer support engineer's system, which allowed them to access vital information and settings. Lapsus$ is also known as a notorious threat actor group — DEV-0537.

Robinhood - Unknown
The Robinhood breach started with a phone call to Robinhood’s customer support, according to the statement that was released. The hacker relied on social engineering to convince an employee to provide "access to certain customer support systems," Robinhood said, circumventing all of the security and access control systems. 

SolarWinds - Nobelium
In this hack, suspected state-sponsored hackers Nobelium – and often simply referred to as the SolarWinds Hackers by researchers – gained access to the networks, systems, and data of thousands of SolarWinds customers. The scope of the hack was unprecedented and one of the largest, if not the largest, of its kind to date.


How Continuous MFA Would Have Prevented the Breaches?

Unphishable MFA
In many cases, the attack would have never reached the customer network if the user hadn’t been fooled or annoyed into granting the attacker access.  Twosense does not give the user the power to hand off a key or incorrectly respond to a push notification.

Notice the first RDP attack
Twosense Continuous MFA can detect a malicious user within one minute when they remote into a machine with the Twosense agent installed.  When attacks take months, reacting within one minute solves the problem before it can grow.

Lock the user out when their present behavior doesn’t match their historical behavior
The user’s session can be resumed when backup MFA has been passed or a supervisor gets involved.  With supervisors in the loop, the user’s identity can be confirmed by a manager that checks video footage or contacts the user.  This step does not require IT involvement.

Get the security team involved
If a user cannot pass a fallback MFA check or if a manager can’t verify their identity, Twosense will notify the IT or Security Ops team to begin an investigation.


Continuous MFA, Continuous Protection

When it comes to protecting customer data, it is crucial that contact centers have solutions that work. With continuous monitoring and phishing-resistant biometrics, Twosense Continuous MFA is able to help BPOs set themselves apart from their competition with a best-in-class identity security solution. Continuous MFA detects every attempt to access a protected machine by a malicious user as the only solution capable of checking users' identities hundreds of times daily. Additionally, Continuous MFA does not require any participation from the users– making it completely invisible to the user. This enables security teams to deploy phishing-resistant multi-factor authentication everywhere, increasing the organization's security posture without negatively impacting usability or agent efficiency.