For over a decade, multi-factor authentication (MFA) has been a cornerstone of online security policies. However, as cyber threats evolve and cybercriminals turn to ever more advanced techniques, MFA alone is no longer sufficient to protect against attacks, explains Andy Swift, Cyber Security Assurance Technical Director at Six Degrees.
The cyber threat landscape is always evolving, which means our defences must keep up to date too. One alarming trend is the rise of Attacker-in-the-middle (AitM or token impersonation) attacks, where attackers attempt to bypass MFA protections by manipulating the approval of tokens. Assuming the attacker knows the username/password already via other means, these attacks come in several forms: a simple drive-by MFA fatigue-based attack carried out by authenticating with known credentials and sending MFA requests to a target device in the hope the target user approves the request; or, at the more advanced end of the spectrum, a more automated attack where the target gets redirected through a proxy that in turn, once authenticated, will strip the authentication token awarded for successful MFA completion for the attacker to use.
Both techniques have merit, and both are often delivered through those familiar-looking phishing campaigns that we have come to know and love. The key difference is it is no longer just the passwords and usernames being stolen, it is the tokens themselves.
These attacks are particularly concerning for the likes of Microsoft 365 and similar platforms, where MFA plays a vital role in defence. The question therefore is how we can mitigate the limitations of MFA in the face of such attacks and introduce additional security measures to protect victims and prevent data loss.
We are all familiar with how phishing attacks work: lure a victim to a seemingly authentic webpage using a convincing URL and then wait for them to log in, capture any credentials entered, rinse and repeat. This widespread phenomenon led to the rise in MFA, where push notifications, text messages, email and other mediums can be used to deliver a code to authorise access following successful submission of a username/password. With a lifespan of minutes, these MFA codes have proven a powerful riposte to low-level cybercrime.
However, cybercriminals can be just as if not more inventive than defensive security professionals. They soon discovered that by acting as a proxy between the phishing page and the legitimate destination, they could both forward the entered credentials and also intercept the tokens awarded by the target application for the successful completion of an MFA challenge. These tokens could then be used by the bad actor to effectively hijack the session.
Such an approach is known as a Token Impersonation Attack (TIA) or Attacker in the Middle (AitM) attack, and many experts believe they are now the go-to phishing tactic for targeting environments like Microsoft 365.
MFA has long been seen as a silver bullet for security. However, the rise of TIAs shows it is not bulletproof. That means we must bolster authentication by incorporating additional layers of identification – what’s known as conditional access. This enables admins to request extra identifying factors on top of the usual username, password, and token.
Such extra factors might be confirming an authorised location: either from specific countries via IP address, or from specific devices. These additional checks commonly take place behind closed doors and are transparent to the end user.
It is also worth noting that users are not always pleased to be location-limited, particularly if they travel extensively. The introduction of permanent/time-limited exceptions can be somewhat of a maintenance overhead and in such cases, the deployment of a corporate VPN for them to route through might well help restrict permitted access to a known good gateway.
Protecting against TIAs by restricting access to authorised devices is easier said than done: many organisations lack an up-to-date corporate asset and device inventory, which is really where we want to start. Especially since the rise of hybrid working and WFH, there is a considerable amount of ‘shadow IT’ – devices used to access corporate accounts but not on the corporate inventory. So, first things first: that old asset list you might have stashed away from five years ago might need an update!
Once you know who is using what and where you are well set to start applying restrictions both to types of devices and their locations. Bear in mind, though, that deploying conditional access is a sizable step. If the changes are not communicated well and users are left in the dark as to the ‘why’ you should expect integration complications and exception requests to be flooding your inbox shortly. Changes of this magnitude require leadership – and budget – from the top to bring everybody on board.
It is clear that, in the context of TIAs, MFA alone is no longer fit for purpose. This means that conditional access must play more of a role now and in the future. By making users demonstrate they are working on an authorised device and in an authorised location, TIAs can be stopped in their tracks… for now. As hackers and bad actors change tact and discover new techniques, it is incumbent on admins and users alike to adopt and embrace new approaches to authentication.