MFA and Administrative Access Protection Are the Means. But to What End?

Every so often in cybersecurity it’s useful to reflect on things taken for granted and choices made — specifically why they were made and whether these things achieved their purpose. For example, let’s examine the use of MFA and the protection of administrative access. We know these are critical but why? Furthermore, what does it mean to not have these security measures in place?

In this article, we’ll examine some commonly accepted (but equally ignored) truths about the objectives behind MFA and privileged access control, the risks they mitigate, and the barriers to getting them fully deployed across an environment.

We’ll conclude by demonstrating how Silverfort’s Unified Identity Protection platform enables identity and security teams to close these gaps and ensure their environments are protected against account takeover, lateral movement, and ransomware spread.

Recap: What Are MFA and Administrative Access Controls?

MFA and administrative access controls augment the user authentication process by adding a protection layer on top of basic username-password match. The rationale is that credentials can get compromised, which means adversaries would be able to log in using a legitimate username and password. MFA mitigates this scenario by ensuring that the true user is challenged to verify its identity by providing a genuine identifier the adversary is unlikely to have. A Privileged Access Management (PAM) solution can achieve essentially the same thing by making the act of credential compromise significantly harder, via vaulting and regular password rotation.

The False Purpose: A Checkbox Mentality That Inevitably Leads to Security Gaps

The most common error that identity or security teams make with MFA is mistaking the means for an end. For example, thought processes like “We need to apply MFA in order to be compliant with regulation X,” or “We need to increase MFA coverage so we can show management we’re making progress.” This type of thinking is fundamentally flawed, since it ensures that whenever a technological barrier to deploy either MFA or privileged account access controls appears (we’ll show examples of these later in this article), the deployment simply won’t happen. Compliance requirements might be able to be satisfied with some vague compensating control, with protection coverage progressing only incrementally — by protecting what’s easy to protect, rather than what will substantially improve the environment’s resilience.

The reality is that the only way to achieve better protection is to constantly keep in mind what it is we’re seeking to achieve. So let’s examine what exactly is the protection we want to achieve with MFA and administrative access controls, and what the threats are we’re attempting to mitigate.

The True Purpose: Prevent Identity Threats Such as Account Takeover, Lateral Movement, and Ransomware Spread

Drilling down into the true purpose of these protections, what’s clear is that is really about preventing identity threats (i.e., any type of attack or attack component) that involve the use of compromised credentials for malicious access. The most prominent examples of these are account takeovers, lateral movement, and ransomware spread. And this is a big deal because these are precisely the threats that introduce the highest operational risk to organizations today. So let’s understand why.

Identity Threats Are the Ultimate Damage Accelerators in Cyber Attacks Today

So why is identity threat protection a critical necessity? Let’s use the ransomware example to better understand why. Ransomware attacks always start with an initial compromise of a workstation or server that then provides the adversary with an initial foothold in the targeted environment. At this point, though, the damage is confined to just a single machine. The X factor here is the lateral movement stage, where the adversary uses compromised credentials to log in and access additional machines in the environment until they reach a position that will enable them to plant the ransomware payload on as any machines as possible. Now, the attack has evolved from a local, single-machine event to one that could actually halt business operations.

How the Checkbox Mentality Puts Environments at Risk

This is exactly what MFA and PAM solutions are supposed to stop. So you can see how a compliance checkbox mentality comes up short. In order to block identity threats, MFA and PAM protection must encompass all users, resources and access methods.  Anything less than that leaves adversaries an open door. However, traditional MFA and PAM technology limitations make achieving this type of coverage practically impossible.

The checkbox mentality is especially dangerous because both regulators and management may be satisfied because best effort was showed. As well, identity teams may feel like they’ve done their jobs to the best of their abilities. However, it’s really the adversaries will be the most satisfied, since their operations will be able to continue without detection. And to a large extent, this is unfortunately the identity protection status quo in many organizations today.

What Are the Technology Barriers That Prevent MFA and Privileged Access Control From Being Deployed Across the Entire Environment?

Now, let’s understand what the challenges are in ensuring that all users, resources, and access methods are protected.

Traditional MFA: Agent-Dependent With No Coverage for Active Directory Authentication Protocols

Traditional MFA products either require installing agents on the protected servers and workstations or else placing proxies in front of network segments. What this means in practice is that that there will always be machines without protection — either because they can’t accept additional agents or because the network architecture is too complex.

The second limitation is even more problematic. Active Directory’s (AD) authentication protocols, including NTLM and Kerberos, were written long before MFA technology came into being. This makes MFA protection inapplicable to the wider portion of AD authentication. So authentications via command-line access tools that have been built over these protocols – such as PsExec, Remote PowerShell, and WMI (all of which are extensively used by admins for connecting to remote machines) – cannot be protected. This is exactly why these are the tools of choice for lateral movement attacks. The inability to protect them with MFA means that once an adversary has managed to obtain compromised credentials, there’s no way to stop them from accessing as many resources as they want.

Privileged Access Protection: An Arduous Deployment Process With No Protection for Service Accounts

While PAM is considered as the straightforward way to protect privileged accounts, it’s also subject to two key limitations that significantly limits its effectiveness. The first is an extremely long and tedious onboarding process, which entails the manual discovery of all privileged accounts that need protection as well as sperate integrations with every individual component of the IT infrastructure.

The second is a fundamental mismatch between PAM’s vaulting and rotation security mechanisms and the nature of machine-to-machine service accounts. Onboarding these accounts to the PAM is essentially impossible because: 1) there is no utility that can provide instant visibility into these accounts, making their discovery a painstaking and often impossible effort, and 2) even after the discovery of a service account, there is still no visibility into its source and target machines or the apps that it runs. Without this information, you simply can’t apply password rotation to the account without the risk of breaking any processes it manages.

The result of these gaps in MFA and privileged account protection is the reason they’ve become a key attack surface that adversaries target with great success.

Silverfort Unified Identity Protection: MFA Everywhere and Automated Discovery, Monitoring, and Protection for Service Accounts

Silverfort has pioneered the first purpose-built Unified Identity Protection platform that can extend MFA to any user and resource, automate the discovery, monitoring, and protection of service accounts, and proactively prevent lateral movement and ransomware spread attacks. Silverfort connects to all Domain Controllers and other on-prem Identity Providers (IdPs) in the environment for continuous monitoring, risk analysis, and access policy enforcement on every authentication and access attempt made by users, admins, or service accounts to any user, system, and environment.

Identity and security teams use Silverfort’s platform to easily implement the required 360-degree coverage their environments need to gain protection against identity threats. Do you need to increase the coverage of your MFA protection across all your users and systems, or get visibility and protection into your service accounts? Schedule a call with one of our experts.