No one is immune to breaches, as demonstrated last week when the networking giant Cisco reported a breach of its internal environment. Although reports indicate no significant harm was done, this breach presents an opportunity to reflect on the critical gaps in today’s identity protection landscape across key stages in an attack trajectory: the initial access and subsequent lateral movement.
The most conspicuous gap is the lack of real-time MFA protection within an internal environment. This means that once attackers gain initial access to a machine and successfully compromise user credentials, they can execute lateral movement unencumbered. Silverfort addresses these gaps with its Unified Identity Protection platform that can extend MFA protection to any user, system, or environment — including those that have never had this protection before.
The following summary is based on excerpts from the attack analysis published by Cisco’s Talos threat intelligence team and focuses on the stages that illustrate the identity protection gaps and respective security measures that Silverfort provides.
Table Of Contents
Stage 1: Initial Access
- The Attack: Employing MFA fatigue to lure users into allowing malicious access
“After obtaining the user’s credentials, the attacker attempted to bypass MFA using a variety of techniques, including MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving.”
- The Gap: Static MFA that doesn’t respond dynamically to targeted activity
In today’s world, security measures must be smart, which means being able to deduce the meaning of event patterns, communicate them to other security products, and respond accordingly. MFA push notification that is repetitiously prompted multiple times and gets denied in all of them is a clear indication that suspicious activity is taking place. Due to the high effectivity of MFA in preventing attacks that utilize compromised credentials to access targeted credentials, it is only expected that threat actors would respond with bypass techniques, making protection against them a necessity.
- Silverfort Protection: Automated MFA fatigue mitigation
Silverfort provides dedicated protection against MFA fatigue by suppressing user push notifications after five consecutive denied access attempts. Additionally, the user’s risk score is immediately elevated to alert the security team that the user has been targeted so they can act accordingly.
Stage 2: Lateral Movement
- The Attack: Accessing a wide range of systems using a compromised account
“After establishing access to the VPN, the attacker then began to use the compromised user account to log on to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.”
- The Gap: Lack of MFA for command-line access to systems
Command-line access tools – such as PsExec (used in this attack), PowerShell, and WMI – are the main utilities that admins use to access, configure, and troubleshoot remote machines. They are also the tools of choice for attackers to move laterally within an environment. And there is no solution that can enforce MFA protection on these interfaces due to the authentication protocols they use, which means there is no ability to block in real time an attacker who has compromised user credentials. This is the most critical gap in today’s security stack and the main reason why lateral movement attacks are still a frequent occurrence: because the technology in use hasn’t had to evolve.
- Silverfort Protection: MFA protection across all resources within the environment
This MFA protection applies regardless of the access method – RDP, PsExec, PowerShell, WMI, etc – and deprives attackers from reaping any value from the compromised credentials. Whenever an attacker attempts to perform a malicious login, Silverfort pushes an MFA notification to the actual user so they can deny access outright. And this is the first instance of real-time protection being introduced to the internal environment.
Stage 1A: Initial Access Revisited
- The Attack: Voice phishing luring employees to grant MFA approval
“The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept MFA push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.”
- The Gap: MFA single point of failure
Humans are the weakest link of any security chain. Therefore, security teams should assume that a determined attacker will ultimately succeed in luring a user to act in an insecure manner. This is exactly why protection must be multi-layered: because in the Cisco attack, once VPN access was compromised the attackers never had to interact with the user again. Instead, under the cover of the compromised user accounts, they could theoretically access any resource they wanted.
- Silverfort Protection: Multi-layered MFA protection on all resources
Silverfort can enforce MFA on any resource, including the Citrix servers and domain controllers that were targeted in this breach. That means that even if the attackers’ voice phishing succeeded, they would have to repeat that action every time they wanted to access a new resource – ultimately arousing the suspicion of even the most trusting user.
Conclusion: Closing the Gap
Silverfort’s Unified Identity Protection platform addresses a longstanding gap that threat actors have been successfully targeting for over a decade – and most recently in the case of the Cisco breach. The takeaway is that the ability to have real-time, multi-layered protection against lateral movement is a key component of any security architecture.
Learn more about Silverfort’s lateral movement protection here.