Cyberattacks are becoming more frequent and sophisticated, with identity as the main target for threat actors and ransomware as a service (RaaS) providers. A staggering 83% of organizations have experienced breaches involving compromised credentials, a clear indicator that identity-based attacks are becoming the go-to strategy for attackers. This alarming statistic forms the foundation of the AIG & Silverfort white paper, “Identity Has Become the Prime Target of Threat Actors”, which sheds light on how attackers are exploiting gaps in identity and access management (IAM) strategies, especially where multi-factor authentication (MFA) is either misconfigured or not fully deployed.
Why Identity Is the New Battleground
The increasing reliance on users’ identitiies across cloud, hybrid and on-prem environments has turned identity into a critical security battleground. Once considered secure with basic MFA in place, credentials have become a common point of entry for cybercriminals. Attackers are finding ways to bypass traditional MFA methods, whether it is through phishing, social engineering or direct compromise.
One of the primary reasons for this security gap is the incomplete implementation or misconfiguration of MFA across all critical systems. This includes legacy infrastructure and privileged accounts. MFA coverage is typically limited to web-based and cloud-based applications, leaving older systems and administrative resources unprotected. The gap provides attackers with a direct pathway for infiltrating networks, escalating privileges and deploying ransomware.
The Challenges of Implementing MFA
While MFA is widely recognized as one of the most effective defenses against identity-based attacks, many organizations struggle to implement it comprehensively. Some of the key challenges include:
- Legacy Systems Don’t Support MFA: Older systems and applications do not natively support MFA, making it difficult for organizations to secure these resources without significant infrastructure upgrades.
- Outdated Insecure Authentication Protocols: Protocols like NTLM and Kerberos, still used in many on-prem environments, were not designed with modern security controls in mind. They leave significant gaps in protection that MFA doesn’t always cover.
- Misconfigurations: Even where MFA is in place, misconfigurations can leave systems vulnerable to compromise. For example, MFA may be applied at the perimeter but privileged accounts—arguably the most critical—might lack proper protections within the internal network.
- Agent-Based Limitations: Traditional MFA implementations often rely on agents or proxies that are difficult to deploy across diverse infrastructures, leading to coverage gaps.
The Consequences of Incomplete MFA
The AIG & Silverfort white paper highlights several real-world examples where MFA failures have led to devastating breaches. In one instance, a company’s employee credentials were compromised through a Citrix gateway that wasn’t protected by MFA. By compromising a privileged account, the attackers gained access to the network, moved laterally within it, and eventually deployed ransomware.
There is a critical lesson to be learned from this example: MFA gaps, particularly in privileged access management (PAM), can lead to catastrophic consequences. With access to a privileged account, attackers can easily execute ransomware or exfiltrate data.
Clorox, MoveIt Transfer Software, Zellis Payroll Software, and Change Healthcare are other notable breaches that could have been prevented with a unified approach to MFA.
Addressing MFA Gaps: A Unified Approach
To combat these security gaps, the AIG & Silverfort white paper emphasizes the need for a unified, comprehensive approach to MFA. Rather than applying MFA selectively or relying on outdated methods, organizations should strive to extend MFA coverage across all resources—cloud, on-premises, legacy systems, and privileged accounts. This involves:
- Assessing and closing gaps: Conduct a thorough risk analysis to identify misconfigurations and areas where MFA is absent.
- Prioritizing privileged accounts: Protect administrative and other privileged accounts with stringent MFA policies.
- Protocol-Agnostic Solutions: Implement MFA solutions that work across all types of authentication protocols, including older systems that use insecure protocols which don’t support modern MFA natively.
- Phishing-Resistant MFA: Apply advanced MFA methods that are resistant to phishing and social engineering attacks, such as hardware tokens or biometric authentication, rather than relying on SMS-based or telephony-based MFA, which can be intercepted.
Preparing for the Future of Identity-Based Attacks
Identity will remain a key target for attackers, and without comprehensive MFA coverage, organizations are leaving themselves vulnerable to increasingly sophisticated attacks. By adopting a holistic, unified MFA strategy, companies can significantly reduce their risk of identity-based breaches.
Cybersecurity professionals and cyber insurance stakeholders alike must take proactive steps to ensure that every access point, especially those involving privileged accounts, is properly protected. As the threat landscape evolves, so must our defenses—starting with closing the MFA gaps that attackers so often exploit.