Develop a viable defense and threat actors will inevitably find a way to bypass it. That’s the endless game of cat-and-mouse, especially in the cybersecurity world. A historical example was the old advice to ‘never open an email from someone you don’t know,’ so threat actors now expertly purport to be or impersonate someone (or something, as in the case of a well-known brand) we do know. A more recent example is in regards to multifactor authentication (MFA). The necessary push for greater implementation of MFA has been met with equal fervor from cyber actors to bypass the security that it provides.
One of the most used methods to bypass MFA is session hijacking which involves stealing the access token/session cookie after a legitimate user’s successful authentication. Once the attacker has stolen the token/cookie, they can seize the session away from the legitimate user or fraudulently manipulate it. When a session has been hijacked, the attacker essentially assumes the authenticated user’s identity for the duration of the session. Furthermore, MFA tools that have longer reauthentication requirements enable attackers extra time to use the stolen token to establish persistent access. Cyber criminals and advanced persistent threat groups have been using MFA session hijacking. A report in August by Sophos cited that even popular red-teaming and attack tools such Mimikatz, Metasploit Meterpreter, and Cobalt Strike could be used to harvest session cookies.
Mitigating against MFA bypass techniques
Defending against MFA, including cookie/session hijacking should be focused around user education, as it does not take advantage of any inherent flaws in the MFA architecture. Therefore, to reduce the risk and protect your utility and users from succumbing to MFA bypass techniques, consider the following in your MFA implementation:
- Expire it. Configure timeouts before requiring MFA to a minimum acceptable timeframe (preferably at each login) so a threat actor cannot maintain persistence with a stolen session token/cookie.
- Randomize it. Make sure user session identifiers are unique and randomly generated.
- Monitor it. Monitor network logs continuously for suspicious activity.
- Alert it. Implement appropriate security policies to alert on things like impossible logins.
Read more at Darkreading.