Dive Brief:
- Multifactor authentication appeared in almost half of all security incidents the Cisco Talos incident response teams encountered during the first quarter of the year, according to data released Tuesday.
- In 25% of cases, incident response specialists responded to fraudulent MFA push notifications sent by attackers, Cisco Talos found.
- Users did not properly implement MFA in 1 in 5 Cisco Talos engagements, the firm said.
Dive Insight:
Multifactor authentication is, more often, playing a role in determining whether attackers can successfully penetrate network defenses.
Poorly configured MFA appeared in two of the biggest attack campaigns so far in 2024: a ransomware attack against Change Healthcare and dozens of attacks against Snowflake customers.
MFA was not set as default during the attack on Change. In the Snowflake attacks, impacted customers did not have MFA configured and the attackers used stolen credentials.
“One of the most important aspects of implementing MFA is making sure it's secure and effective,” Nick Biasini, head of outreach at Cisco Talos, said via email. “Basic MFA with SMS based notification is the least secure, but better than no MFA at all.
In an ideal situation, organizations would implement MFA using an app-based push with a challenge question, rather than relying on easily guessed passwords or credentials.
As part of the research, Cisco Duo examined a dataset of 15,000 push-based attacks from June 2023 through May 2024.
The research shows attackers are targeting the timing of push notification attacks for pre-work hours, often between 8 and 9 a.m. Many workers are on their phones at that time of day, getting caught up with the daily work schedule, and may therefore allow certain notifications to slip through, according to Cisco Talos.
Attackers are using multiple methods to bypass MFA, including stealing authentication tokens from employees before using them, research found. Social engineering techniques against IT departments are making an appearance, too, as are third-party contractor compromises.