In article 21, the NIS2 Directive defines the minimum set of security measures regulated entities must implement to comply with its requirements. Section 2(j) relates directly to Multi-Factor Authentication (MFA), stating that the security measures should include:
‘The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.’
The interpretation of ‘where appropriate’ means wherever there is a likelihood that the lack of MFA protection could result in a cyber breach. In other words, entities should demonstrate that a) they have thoroughly assessed their identity attack surface to identify where malicious access performed by a threat actor is a critical threat, and b) mitigated this risk by enforcing MFA on these potential access attempts.
Table Of Contents
Breakdown NIS2 MFA Requirements
We can map the access points that need protection based on the following three aspects:
- User accounts – who are adversaries likely to target?
- Access methods – how do adversaries gain malicious access?
- Organizational resources – which resources are adversaries likely to target?
These are the questions that you as an identity security stakeholder must first answer to determine where MFA protection is needed. To best answer them, we’ll need to adopt the attacker’s point of view, based on numerous attacks we’ve analyzed, investigated, and prevented.
So, which users, access methods, and resources should you protect with MFA? Let’s examine them one by one.
MFA for privileged users whose compromise bears the highest impact
The compromise of privileged users is a prime goal for adversaries. These user accounts are entitled to access, execute code, and interact with data on multiple resources within the environment. In a typical environment these users are your admins, helpdesk, and IT teams, so placing MFA protection on these users is of paramount importance.
MFA for PsExec and Remote PowerShell access used by attackers for lateral movement and ransomware spread
Adversaries can use compromised credentials to perform lateral movement, scaling their initial access and spreading within the targeted environment. This spread is the key component behind mass ransomware and data theft attacks. Their tools of choice are command line access tools such as PsExec and Remote PowerShell. Enforcing MFA on users accessing resources via these tools is the ultimate protection against these attacks.
MFA for all applications and servers that are critical to your organization’s operations
Adversaries target critical resources to maximize the return on their investment, whether it is a ransomware attack that locks down mission-critical applications or the theft of sensitive business data or intellectual property. Identifying these resources and placing MFA protection on users’ access to them is thus a top priority.
Silverfort Unified Identity Protection Agentless MFA
Silverfort is the provider of the first Unified Identity Protection platform that delivers real-time protection against identity threats that use compromised credentials for malicious access. Silverfort’s unique integration with Active Directory enables it to extend MFA to any authentication within the AD environments across any user, authentication protocol and resource.
Native Integration with Active Directory Provides 100%MFA Coverage
How is it done? AD forwards every incoming access request to Silverfort. Silverfort analyzes the access request against the access policies in place, as well as known attack patterns or anomalies that could indicate a potential compromise. Silverfort’s analysis determines whether to allow access, block it, or verify the user’s identity with MFA. If verification is needed, Silverfort contacts either its own or any 3rd party MFA service to verify that the actual user has initiated the access request. Following the user’s response, Silverfort tells AD if access is allowed. This architecture ensures full coverage of all authentications and access attempts within the protected environment.
Silverfort Protection for NIS2 MFA Requirements: Critical User Accounts, Resources, and Access Methods
Silverfort’s comprehensive MFA protection enables organizations to implement NIS2 MFA requirements. Let’s examine that in more detail:
Silverfort’s MFA for Privileged Users
Silverfort automates the discovery of all the users that belong to an administrative group and enables the configuration and enforcement of an MFA policy on these users in a single click. Moreover, Silverfort also discovers users that have been inadvertently assigned admin privileges (aka ‘Shadow Admins’) and configures policies that includes these users in the MFA protection. In that manner any adversarial attempt to leverage the compromised credentials of these users for malicious access will be blocked.
Silverfort’s MFA for Command Line Access
As explained earlier, Silverfort’s integration with AD enables it to extend MFA to all AD authentications. Until now, command line tools like PsExec and PowerShell were beyond the scope of traditional MFA solutions. This is because their legacy underlying authentication protocols, NTLM and Kerberos, don’t support the integration of MFA into their authentication process. Silverfort’s architecture obviates the protocol support issue because it’s able to analyze and gain insight into any authentication packet forwarded by AD. This makes Silverfort the only solution that can protect PsExec and PowerShell with MFA, effectively mitigating the risk of ransomware spread in the environment.
Silverfort’s MFA for Legacy Applications
Many organizations, especially in the verticals subject to the NIS2 directive, still rely on legacy applications for their core operations. Traditional MFA solutions are not a good fit here because incorporating MFA into these apps requires changes to the app’s source code – an operational risk most organizations are reluctant to take. However, again, Silverfort’s integration with AD enables it to seamlessly enforce MFA protection on any app that authenticates to AD, ensuring the organization’s critical resources have real-time protection against malicious access.