Mitigating MFA Bypass Methods Used By Hackers, Pen Testers and Malicious Insiders.
Folks, I’d like to share a thought on how organizations can optimize their current investments in MFA solution that has been implemented. So, when PROPERLY implemented across the hybrid IT infrastructures (on-premises and cloud), MFA solution has the capacity and capability to PREVENT 99% of credentials based attacks such as ransomware propagation, lateral movement, privileged escalations and malicious insiders engaging in fraud or theft of company’s intellectual properties.
However, there are LIMITATIONS on most MFA solutions that allows threat actors and other malicious attackers to BYPASS them with insane ease.. Some of the limitations are listed below.
1- MFA controls cannot be enforced on authentication protocols (NTLM) level.
2- MFA controls cannot be enforced on NETWORK or NON-INTERACTIVE logins. See description of Windows
logon types here, https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types and https://eventlogxp.com/blog/logon-type-what-does-it-mean/
3- In most organizations, MFA controls cannot be extended to ALL resources such as
all workstations, cloud workloads, LDAP based applications, all servers on
the AD and administrative interfaces and tools(PsExec, Remote PowerShell, etc.
Mitigating MFA’s LimitationsWithout ANY Form of Overhead.
In practical term and without any form of overhead, the CrowdStrike Identity protection platform
(formerly Preempt security) integrates with most MFA solutions to address ALL limitations as highlighted above while ensuring further hardening of the enterprise identity stores, i.e. On-Premises Active Directory, SSOs such as ADFS,
Azure AD, Okta and Ping.
At one of our customer ( a large bank), they have an existing Azure MFA primarily used for VPN authentication.
With the CrowdStrike Identity protection module, we extended the Azure MFA to ALL workstations, ALL servers, CRITICAL internal LDAP based applications, administrative tools and authentication protocols such as the very dangerous NTLM- yet no changes whatsoever was made to their current architecture. In fact, they’ve had 2 different penetration testing engagements with one of the top 4 consulting firm and in all instances, the engagement FAILED due to the proactive MFA hardening capabilities that the CrowdStrike module brought in.
Below are some of the CrowdStrike Identity Protection policies that help in mitigating MFA bypass
methods used by hackers, pen testers and other threat actors.
- MFA On Authentication Protocols (NTLM& Kerberos). This Policy is used to ensure that all authentications using NTM and Kerberos Protocols where the users are either human or Service Accounts with Authorizer set gets challenged with an MFA. This policy is set to include the “CIFS” access type as this is an authentication access used by SMB services and Fileserver access to leverage the NTLM v2 Protocol.
1- Access to File Server using IP Address
2- Access to File Server using FQDN
3- Access to Server or Workstation using PowerShell or PsExec.
4- Access to workstation using interactive login.
5- Access to server using interactive login
- Reset Compromised Password . This policy is to ensure that users who have been identified by the platform to have compromised password will automatically have their password reset and force them to change their passwords. The only caveat with this policy is that it will only take effect on newly detected identities i.e. It will not take effect on users whose passwords have been detected as compromised before the policy is enabled.
- MFA on RDP human Account. This Policy is to enforce MFA on Remote Desktop Connections. This ensures that users (Human or Has Authorizer) are challenged with MFA on all Remote Desktop Connections.
- Restrict RDP on Service Accounts. This Policy is to restrict service accounts from performing Remote Desktop Connections. This ensures that all service accounts that do not have authorizers are prevented from performing Remote Desktop Connections.
- Anomalous Authentication. This policy ensures that users attempting to login to endpoints that is not profiled in their baseline (i.e., an endpoint they have never logged in to before or don’t login to frequently) are challenged with MFA to verify their identity.
- Restricting Privileged Logon on Workstation. This policy restricts privileged accounts from being used to logon to workstations with exceptions to workstations owned or regularly used by the user.
- Stale Programmatic User Access. This policy ensures that when stale service accounts are used for authentication the users are challenged with MFA before any authentication can go through.
- Block Anomalous Access of Privileged Service Account. This policy ensures that Privileged Programmatic account is blocked from performing anomalous authentication to endpoints. This is to prevent privileged programmatic accounts from performing unusual logon to endpoints.
- MFA on RDP to DCs. This policy ensures that every Remote Desktop Connection to the Domain Controller using FQDN (Kerberos) or IP address (NTLM) is challenged using MFA. This makes sure that all identity performing Remote Desktop connection to Domain Controllers is verified.
At your convenience, I’m available to show you a demo of the solution, No Commitment. No Obligation.
For additional value adding cybersecurity services that helps organizations prevent devastating data breaches, visit https://www.smsam.net/services/