The MFA Protection Gaps No One Talks About

13. February 2024 | 
Silverfort | 

Multi-factor authentication (MFA) has long been accepted as a standard security measure. According to Microsoft[1], MFA can prevent over 99.9 percent of account compromise attacks. It is therefore no wonder that the security community regards it as a necessity in their environments.

Despite MFA’s proven effectiveness against identity-based attacks, its inherent coverage limitations are often overlooked. In the past, MFA protection could not be deployed to critical enterprise resources such as legacy applications, command-line access (PSExec, Remote PowerShell) to servers and workstations, file shares, or databases.

As a result, even with a fully functional MFA solution in place, legacy on-prem applications and servers remain a major security risk to lateral movement, ransomware spread, and other identity threats.

MFA Protection Prevents Attacks That Utilize Compromised Credentials

Account takeover can be prevented most effectively by using multi-factor authentication. It is for this reason that we have MFA in the first place in order to prevent adversaries from accessing our resources by using compromised credentials. Even if an attacker were to obtain our username and password – which is highly likely – it would not be able to leverage them for malicious purposes. In other words, it is the last line of defense against credential compromise, aiming to void the benefit of any compromise.

The MFA Gap: Active Directory Resources are not Protected

It is frequently the case that traditional MFA solutions fail to cover all aspects of security in an Active Directory environment. In particular, NTLM and Kerberos authentication protocols are not supported by MFA, since these widely used protocols are not designed to integrate seamlessly with MFA, which creates major security risks. MFA implementation utilizing agents and proxies can also lead to blind spots in the security infrastructure as certain resources may be left unprotected.

Two critical risks are associated with MFA gaps: lateral movement and ransomware spread. The term “lateral movement” refers to the ability of an attacker to move laterally within a network once they have gained access to it. In the event of lateral movement attacks that use compromised credentials, the common remote connection path is typically unprotected and used in most to all lateral movement and ransomware spread attacks.

The fact that there is an MFA solution that protects the RDP connection and prevents it from being abused is irrelevant. Using PsExec or Remote PowerShell, an attacker can easily move from patient-zero to other workstations within a network as easily as using Remote Desktop. The only thing they need to do is to open one door instead of the other. Due to this, it presents a reality check for those who believe they are protected by MFA, even though they truly are not.

MFA Limitations in On-Prem Environment Affect Your Cloud Resources

Most organizations maintain a hybrid identity infrastructure that includes both AD-managed workstations and servers as well as SaaS apps and cloud workloads. As a result, the lack of MFA protection exposes not only core on-prem applications and file shares but also SaaS apps to the use of compromised credentials.

In today’s environment, synchronizing passwords across all these resources is a common practice, so the same username and password are used for both on-premises file servers and SaaS applications. Therefore, any attack that compromises and uses user credentials on-premises can easily pivot to access SaaS resources from that machine.

Current Identity Protection Alternatives are Not Enough

Many organizations attempt to compensate for the gap in MFA coverage by closely monitoring the access and activity of their users on their on-premises environments for any anomalies that might indicate a compromise. However, this approach has two main shortcomings. Most people by nature will always respond to detected threats rather than the more proactive approach of preventing them. Secondly, it requires a high level of resources, such as manual integration of the on-prem resources into a SIEM or another centralized log collector, as well as a fully staffed security team for the actual monitoring. For most organizations, this makes it an impractical choice.

Move on From Traditional MFA and Deploy Unified Identity Protection

The MFA gap described above illustrates how traditional MFAs are designed and implemented. Since MFA solutions work by plugging into each resource’s authentication process, there can be no protection if the software that performs this authentication does not support MFA, such as AD command line access tools.

However, there is a new approach today that focuses on placing MFA in the directory rather than at each resource, completely removing this barrier.

Silverfort’s Unified Identity Protection MFA

Silverfort pioneered the first Unified Identity Protection platform that provides real-time protection against any attack that utilizes compromised credentials for malicious resource access. Silverfort extends MFA protection to all resources that couldn’t be protected in this manner before. This includes legacy apps, command line access to workstations and servers, file shares, and many others.

Silverfort natively integrates into the Active Directory authentication flow. When a user attempts to access a resource, AD forwards the access request to Silverfort, which analyses the request and challenges the user if necessary with MFA. By using this architecture, all AD authentications and access attempts are covered 100% without the need to install agents on the protected workstations and servers or deploy proxies. Since AD forwards all authentication requests to Silverfort for risk analysis, it does not matter which authentication protocol is used. This is the first time that MFA can be applied to Kerberos and NTLM authentications.

Proactive Real-Time Protection Against Identity Threats is Essential

There will always be a risk of account compromise, regardless of what we do. Instead of focusing on how to mitigate this security risk, companies should take a proactive approach against identity-based attacks. Silverfort solves the two critical gaps in MFA directly and prevents threat actors from using the credentials they stole for malicious access, enabling organizations to maintain their environments securely.

About Silverfort

Silverfort is the only Unified Identity Protection Platform that extends identity protection to any sensitive resource, including ones that couldn’t be protected before, without having to modify them. That includes legacy systems, command-line interfaces, IT/OT infrastructure, service accounts (non-human identities) and many more. Silverfort delivers secure authentication and access policies across the entire hybrid identity infrastructure – both legacy and modern – from a single unified platform, and stops identity-based threats everywhere. Silverfort is headquartered in Tel Aviv, Israel, and was founded in 2016.

Learn more at silverfort.com

[1] Maynes, M. (2019, August 20). One simple action you can take to prevent 99.9 percent of attacks on your accounts. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/