Passwords alone no longer represent a significant barrier to an adversary. This has been caused by the shift to available-from-anywhere cloud services, bad user habits like password re-use across sites, and massive online password databases.

The ACSC states that “Multi-factor Authentication is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information” and defines multi-factor authentication (MFA) as ‘a method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier.’ Simply put, requests must come from a combination of two or more of the following:

  • Something you are (fingerprints, retina scans).
  • Something you know (passwords).
  • Something you have (hardware or a paired mobile app).

When implemented correctly, it is significantly harder for adversaries to capture legitimate credentials to facilitate further malicious activities on a network as it is not as susceptible to brute force attacks.

As best-practice, MFA should be used to authenticate all users each time they logon to an organisation’s assets, a strategy known as zero-trust. Depending on an organisation’s risk profile, a combination of a password and mobile authentication apps can be enough. Organisations with higher risk exposure should consider implementation of biometrics or hardware tokens for greater resistance against targeted attacks

Verifier Impersonation Resistant

A fancy way of saying the legitimate user can’t be tricked into approving the attackers access by the attacker pretending to be a legitimate service. Usually, this means a piece of hardware like a usb key the user has to put physically in contact with a device like a laptop or phone to let the device connect to the organisation – this means the attacker would have to be physically present with the user.

REMEDIATION STRATEGIES

Maturity Level One

For organisations to reach Maturity Level One, they need to implement MFA on internet-facing services. This can require additional licensing or the deployment of a modern authentication broker, including Azure Active Directory, Okta, Duo, or many others. These can be used to implement conditional access rules enforcing MFA for all users, including administrative, guest, and external, when connecting from outside of trusted physical premises. Organisations also need to consider implementation of Multi-Factor Authentication for remote logon to workstations and servers where accessible over the internet.

At Maturity Level One, organisations can use phone or SMS based authentication, though these are not completely secure and are not recommended.

Maturity Level Two

Maturity Level Two organisations start enforcing MFA to authenticate all privileged access to systems, regardless of whether the system is internet facing.

Organisations need to update their configuration of existing conditional access policies to exclude users with administrative roles and create new policies to capture these users that enforce MFA regardless of if the connection is occurring from a trusted location.

Azure Active Directory configuration needs to be updated to accept only app or hardware token-based authentication tokens. Phone or SMS based MFA systems are not sufficient to meet controls at this maturity level as they cannot be reliably asserted to be ‘something users have’ due to common attacks such as sim-jacking. Organisations need to also verify that Azure Active Directory audit logs are enabled to log successful and unsuccessful authentication attempts.

Maturity Level Three

The primary change between Level Two and Level Three Maturity is disabling app-based authenticator use, enforcing the use of hardware tokens which are verifier impersonation resistant. At this level, organisations also need to identify any sensitive data repositories (consider those containing Personally Identifiable, Financial, Classified or commercially sensitive information) and exclude these from primary conditional access rules established to address Maturity Level One controls.

Organisations need to establish new Conditional Access rules allowing access to these apps only if MFA has been successfully completed, even from trusted networks and locations, deploy hardware authentication tokens to all users and provide sufficient training on their enrolment and use and ensure all users have successfully enrolled.

Additionally, organisations need to establish forwarding of Azure Active Directory authentication logs to a SIEM system and ensure that the system is monitored, and alerts are raised and actioned when suspicious events are detected.