Ransomware Resilience – MFA Bypass is Seen as the Largest Attack Vector for Ransomware Attacks

As ransomware threat actor tactics continue to advance, it’s important to remember that common cybersecurity “best-practices” are also in flux. As much as multi-factor authentication (MFA) is still a highly recommended cybersecurity tool (as it should be), MFA alone should not be seen as sufficient to protect against the constantly changing threat environment, especially in light of the recent attacks the water sector is currently experiencing.

Recent research suggests that MFA bypass via session hijacking is the largest attack vector that ransomware actors use to breach systems. Below are some previously shared WaterISAC resources that can help as the sector continues to respond to these threats. For more information, visit Help Net Security.

MFA Bypass Defenses for Consideration

To reduce the risk and protect your utility and users from succumbing to MFA bypass, consider the following in your MFA implementation:

• Train it. Include MFA bypass themes, like the ones highlighted in this post, in simulated phishing exercises and awareness education and discussions.
• Configure it. Ensure MFA settings are properly configured to protect against things like “fail open,” re-enrollment, or initial device enrollment scenarios.
• Randomize it. Make sure user session identifiers are unique and randomly generated.
• Expire it. Configure timeouts before requiring MFA to a minimum acceptable timeframe (preferably at each login) so a threat actor cannot maintain persistence with a stolen session token.
• Force it. If a user reports repeated unauthorized MFA push notifications, immediately force a password reset.
• Harden it. Implement a FIDO2-compliant (phishing-resistant) security key for multi-factor authentication.
• Fake it. Encourage users to never use real answers in response to recovery questions (and to use a password manager).
• Disable it. Disable inactive accounts uniformly in active directory, MFA, etc. so they cannot be leveraged to reenroll in MFA.
• Monitor it. Monitor network logs continuously for suspicious activity.
• Alert it. Implement appropriate security policies to alert on things like impossible logins.

Additional Key Areas to Help Limit Ransomware Risk

There are several additional key areas that play a major role in mitigating ransomware attacks which can either limit attacks’ ramifications or prevent them entirely. This approach calls for multiple layers of defense. Utilities may want to review each of these key areas and determine their own ransomware resilience posture:

• Email Security
• Endpoint Security
• Properly Encrypt Sensitive Data
• Have a Solid Backup Strategy
• Patch Management
• Utilizing Automation

Along with the above key areas, as always, members are recommended to regularly review CISA’s StopRansomware resources and guide which offer current and valuable insights and guidance into defending against this threat. 

Additional WaterISAC Coverage and Sector-related Information Pertaining to Ransomware:

• Ransomware Resilience – The Always Shifting Ransomware Landscape| September 3, 2024
• Ransomware Resilience – Recent Activity and Leading Indicators of Potential Compromise | August27, 2024
• Ransomware Resilience – Key Indicators and Common Mistakes that Could Result in a Ransomware Attack | August 20, 2024
• Ransomware Resilience – Sophos Report Analyzes Ransomware in Critical Infrastructure | July 18, 2024
• Ransomware Resilience – Understanding Ransomware Behaviors and the Typical Ransomware Attack Chain | July 11, 2024
• Ransomware Resilience – Strategies for Improving Attack Outcomes | July 4, 2024
• Ransomware Resilience – NCSC Shares Guidance for Organizations Considering Payment in Ransomware Incidents | May 14, 2024
• Ransomware Resilience – Utilize CISA’s Ransomware Vulnerability Warning Pilot (RVWP) | May 2, 2024