Transcript
This transcript has been edited for clarity.
Mathew Schwartz: Hi, I’m Mathew Schwartz, executive editor with Information Security Media Group. Joining me to discuss multifactor authentication bypass attacks and how to defend against them is Joe Toomey, Head of Security Engineering at cyber insurer Coalition. Joe, thanks for being here.
Joe Toomey: Thanks for having me, Mathew, greatly appreciate it.
Mathew Schwartz: I’m excited to talk about multifactor authentication. It’s been a big, hot topic in the industry for a while now, with good reason. As you’ve previously noted, though, it’s no panacea. Although when deployed correctly, it can definitely help. So with that little preamble in mind, Joe, I’m interested to hear what your policyholders at Coalition have been seeing when they see attackers trying to bypass their multifactor authentication defenses?
Joe Toomey: Great question and I’ll amplify what you said: MFA is really good and important, and everyone should be using it. There are different types of MFA, and they come with different levels of investment on the part of the company that deploys it. And with adversaries, we should expect this in the security industry: We signed up to play cat and mouse. We know adversaries are going to change their tactics. If we put a prevention in place, we put a protection in place, they will adapt to try and get around that, and we have seen them doing that in a number of different ways; things that are kind of novel and newsworthy.
We hear about things like push fatigue attacks, we hear about SIM swapping, defeating SMS-based MFA. In terms of prevalence, the thing that we see the most is not probably as newsworthy, because it happens so much, and that’s just proxying to steal your OTP tokens. So all three of those things are things that we see with our policyholders. Coalition has its own incident response company called Coalition Incident Response and we see we’ve seen all of these types of MFA bypasses.
The most prevalent is certainly OTP session hijacking. What that looks like is, you have a one-time code, a one-time password. S you have the authenticator application on your phone, when you try to log in, it says: What’s the code? You look up the code. And the way that those bypass attacks work is typically an attacker will have a fake website that looks just like the Microsoft login website, you type in username and password and hit OK. They proxy that. So they get your username and password, they send it to Microsoft, Microsoft’s site asks them for the code, they ask you for the code in a page that looks just like Microsoft’s, you enter the code, and they have that window of 60 seconds, or however long it is, they send the code to Microsoft and then they’re in. That’s very prevalent. There are phishing kits that are available and very cheap to enable an attacker – they don’t have to design the website and make it look right. It’s just $10 bucks or whatever it costs and they can impersonate you.
Mathew Schwartz: That’s really challenging. You’ve been in the security field for a while. I don’t know if you sometimes are surprised by the ingenuity of attackers? I mean, these sound like some relatively low-tech approaches, certainly SIM swapping – either tricking somebody, or paying them off, I suppose as well, to give you somebody else’s number. There’s maybe social engineering there, or maybe just straight-up fraud or blackmail, not to get too grandiose about it. Or like you say, these toolkits which are readily accessible, or the bombing MFA fatigue, where you’re literally the what this ping keeps going and going and going until finally you say, go away. Attackers, like so many things, only need this to happen once. This is low-tech stuff, some of this.
Joe Toomey: It is, although in some cases, such as the OTP session hijacking, you have to build the proxying infrastructure, so it’s maybe a little bit more work. But now you don’t have to even do that, because now they’ve commoditize it. It’s just something you buy.
I am impressed by the ingenuity of attackers, all the time. I think you can tell when someone is a security person, because when you describe some terrible attack in technical detail, instead of saying: “Oh, God,” they go, “Oh, cool!” Right? I have a begrudging appreciation for the ways that adversaries go about defeating the protections that we put in place, but that’s what makes the job interesting. We have to go and figure out the next way to prevent that bypass, and keep protecting the people that we’re charged with protecting.
Mathew Schwartz: With these different types of attacks that you’re seeing, what sort of defenses are you advocating for policyholders? Or of course anybody else who doesn’t want to get owned via weak MFA?
Joe Toomey: The answer, as always, is that it depends on who you are, what your budget is, what your threat model is. But at a very high level, the first thing I would say is: you shouldn’t be using SMS MFA anymore. I don’t see any good explanation for a business to use SMS two-factor authentication. Sometimes I hear from friends, like after I post about MFA weaknesses. Someone will say: my bank still uses SMS. My response is typically, well, do you have less than $200,000 in your account? Because as long as you do, you’re FDIC-insured. And those kinds of businesses are catering to a very non-technical audience. Like, grandma doesn’t have maybe even a smartphone, but she can receive a text message, maybe. I think at this point, everybody has a smartphone. In any case, maybe opening an authenticator app is too much for that person, but they can get a text and cite the number.
Now for a business that’s got professionals employed, I think there’s no excuse for using SMS MFA anymore. In terms of what do you do beyond that, I would strongly encourage companies to try and protect themselves against OTP. hijacking, and there are a couple of ways to do that. FIDO2 is probably the best and strongest solution that we have. It’s not free; it requires some hardware support. So maybe you’re buying Yubi keys, or if you’re lucky, everybody uses a MacBook that has a Touch ID sensor. But there’s some hardware support that’s required to implement that. If you’re a Microsoft shop, Microsoft does have a feature that they call token protection, that enables you to bind the token to a single device, and allow the operating system to enforce the fact that no other device is able to actually make a cryptographically strong connection using that same token. That’s also not free.
I don’t have a quotable opinion on charging for security features for the products that you build, but either way, those are things that companies can do. Maybe disabling push notifications is a pretty easy thing to do too. Yes, it adds a little more friction for your employees, but it reduces that piece of the attack surface. Ultimately, it just comes down to what your threat model is. But I will say, we see these bypasses being executed on companies that are not targeted. So it’s not like you have to be a Google or a Cisco or a Microsoft for somebody to come after you, though. It’s pretty low-hanging fruit to carry out one of these attacks. You can be a small business can still be targeted by something that uses this type of technique.
Mathew Schwartz: Great defensive advice. Now, a bigger-picture question for you. When I speak with security experts such as yourself, who are rich in their understanding of the nuances of some of this technology, there is a lot to dig into. One of the things is that MFA isn’t necessarily always mean MFA. I mean, it’s a concept, but the way that different products deliver it can differ. I’m hearing from some CISOs, for example, how challenging it can be for the engineers on their teams to know all of the ins and outs of an identity platform, or the ways in which it might get bypassed. Or they might reasonably expect it to behave in a certain way. But as attacks have shown – especially against some big names that we’ve seen, when people are really going for the gold – these platforms sometimes seem to work in novel ways that you wouldn’t have thought would have been possible, but obviously they were.
Joe Toomey: That’s a really broad question and I’ll be cautious in how I respond to it. But noting the fact that there have been some big, newsworthy attacks, if you look at the types of techniques and the ways that adversaries have gone about getting access – for example, with the Okta issue where there were logs stored by the support team, and attackers they got access to the logs. From the logs, they were able to gather additional information from files that were stored by Chrome that contain credentials they shouldn’t have contained.
From a CISO perspective, I would say the most important thing is: do your research and figure out what you want to do from an identity platform standpoint, and then accept the fact that it’s a significant investment. Like, it’s going to be a project that’s going to take time, and it’s going to take some of your budget and for CISOs, it’s always a big consideration. So, maybe I could do FIDO2. But I have to spend, you know, X 1,000 more dollars to go buy Yubi keys, when I could use that on this other product that maybe I think will also help.
It’s math, fundamentally. You have to figure out where you want to invest that budget. But I would say, identity is absolutely something that is under attack. We are all web-connected. There’s so many people who work from home, see my nice home office here. I haven’t been in an office in 13 years, except for travel. And so protecting identity is very important. There’s a lot of good vendors out there. And you’re right. Implementation can be complex and time-consuming. But ultimately, there are lots of good solutions that will help you protect identity and you should absolutely invest.
Mathew Schwartz: One of the solutions that I believe Coalition advocates as being useful, where applicable, is managed detection and response, including 24/7 monitoring. I have long heard this as a recommendation for organizations, especially smaller and midsized organizations, but also in some cases also for larger organizations. So what is the equation for you with MDR and MFA?
Joe Toomey: So MDR and MFA, from my perspective – working at a cybersecurity insurance company – are both meaningful, significant compensating controls. These are things that level up your overall security posture in very different ways.
MFA helps with your identity and access management. So, do I really know that you’re you before I give you access to the things that you’re supposed to access? MFA can really, really, really help with that.
MDR really levels up your ability to evict an adversary. If you look at what cyber insurance has emphasized over the past five years, it was pretty common for cyber insurance to say, “You have to have EDR.” Well, the interesting thing about EDR is that technically speaking, EDR is about detection. I mean, the acronym is endpoint detection and response. But the response part of it is really an enabling thing. EDR is positioned as: we give you the tools to respond, if we detect something that you need to worry about. But we don’t respond; that’s your job, your SOC’s job.
So if have a 24/7 SOC, and EDR, they are not just EDR? They’re using network telemetry, looking at email logs and all the things that a good SOC does. But not everybody has a SOC. And not everybody who has a SOC has a 24/7 SOC.
If you’re spending a lot of money on EDR and nobody’s actually watching the alert telemetry, I’ll ask you a rhetorical question: How often do you think ransomware runs only in Pacific time zone business hours? Never. It’s the middle of the night on a Saturday? Or a long weekend, if they can manage it.
So you’re paying for eyes on the glass with MDR, you’re paying for someone else to watch those events, and the winning play with MDR is the same as the winning play with EDR, which is: the adversary got in, and this is part of defense in depth.
You have lots of things that keep the adversary out. But sometimes they fail, and now the adversary is in and they’re doing something, and the thing that they’re doing is not malicious enough for your endpoint protection product to just block it. In fact, if you ever look at the logs, if you look at what happens in one of these attacks, usually the endpoint protection does block it the first time, the second time, the third time, but the adversary is in there, so they can keep trying more stuff. Meanwhile, your EDR is blowing up. Sirens are going off, bad things are happening. But if there’s no one looking?
That’s really the hidden jewel of MDR: adversary eviction. We used to call it free ransomware eviction, because so often, if you see what they’re doing, they’re trying to escalate their privileges, they’re trying to move laterally, and they’re basically figuring out: what can I go encrypt, what can I exfiltrate and extort this company for?
What an MDR typically does is, when that alert happens, somebody on the MDR team goes and looks, and they say: This is definitively malicious activity, so I’m going to quarantine this endpoint, or I’m going to change the policy to prevent this program from running and terminate that process, or take whatever steps they need to, to stop that adversary from being able to go any further. And that’s the big one with MDR.
So it’s a huge boon for small companies. You mentioned big companies and I’ve seen a lot of large companies also buy MDR. Even if they have a 24/7 SOC, it’s just an extra layer of protection for what amounts to a little bit more than you’re paying for EDR already.
Mathew Schwartz: And so, I believe also with policyholders, you incentivize using some form of MDR, given the upside of it?
Joe Toomey: We absolutely do, we’ve launched a program where you’re eligible for what can amount to at times a pretty significant premium discount if you’re using MDR. We have a set of preferred MDR providers. Coalition is one but we accept a number of others as well. There’s a lot of good MDR firms out there – sometimes offered by the company that makes the EDR, sometimes a third party that really specializes in threat hunting, or maybe does a better job protecting the platforms that you are using. Maybe you’re a Mac shop, and so you want somebody who does a really good job protecting Macs. So you are absolutely eligible for a somewhat significant premium discount with Coalition if you have MDR from a good provider.
Mathew Schwartz: Great stuff. Well, Joe, thanks so much for diving into all the acronyms today. We’ve got MFA, MDR, we hit on EDR. I’d say we’ve done a great job here. Thank you so much.
Joe Toomey: I really appreciate your time and your questions, Mathew. Thanks very much.
Mathew Schwartz: Thank you. So I’ve been speaking with Joe Toomey of cyber insurer Coalition. I’m Mathew Schwartz with ISMG. Thanks for joining us.