This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.
You’ve implemented multifactor authentication for access to your enterprise network. But what if multifactor authentication isn’t as foolproof as you’re hoping?
Are you comfortable betting your organization’s security on it?
Multifactor authentication isn’t a silver bullet
The premise behind multifactor authentication is a good one—anybody who wants to access your network needs two or more things:
- Something they know (such as a password or personal identification number).
- Something they have in their possession (cryptographic identification device, token).
- Something they are (biometric, fingerprint).
Users enter two of those (or three of them, to access especially sensitive resources), your server authenticates them, and they’re on your network. It’s more robust security than a simple username and password, and it makes bad actors work a lot harder to access your network.
That’s why multifactor authentication is such a commonly used approach in security for solving the problem of leaked or compromised credentials. But it’s not foolproof, and here’s why Recorded Future thinks you can do better.
SMS is vulnerable
Many multifactor authentication products, especially the ones suitable for consumer use, rely on SMS and send a code to the user’s phone in a text message. Unfortunately, SMS can be hacked or spoofed, with the result that the bad actor receives the code and is able to pass the authentication test.
Also, not all applications support multifactor authentication—that’s especially true of older systems—which leaves the door open to bad actors. There are passwordless authentication methods, but credentials are used to authenticate the system on the back end, so password security and the user’s identity can still be avenues for compromise.
Multifactor authentication isn’t enough
Threat actors can brute force their way into accounts, defeat multifactor authentication, and breach organizations. There are many ways, unfortunately, that threat actors can accomplish this.
One way is by hijacking session cookies. Another way involves exploiting default multifactor authentication protocols. For instance, the United States Cybersecurity and Infrastructure Security Agency recently released a report warning that Russian state-sponsored threat actors were able to gain network access by taking advantage of an account set to default multifactor authentication protocols. That allowed them to enroll a new device for multifactor authentication access in their victim’s network, and then take advantage of a critical Windows vulnerability to run any code they wanted on the hacked network—with system privileges. One small mistake with multifactor authentication enabled threat actors to gain not only access but also significant control over the network.
Beyond multifactor authentication: Identity Intelligence from Recorded Future
Of course, threat actors are trying to breach thousands of networks every day. Suppose you had up-to-date intelligence that told you about their attempts all over the globe. That would give you a lot more information about them than just their IP address. Wouldn’t that help you decide whether their visit to your site was legitimate or not?
That’s the identity management model Recorded Future uses with Identity Intelligence. It arms security teams with real-time information about identity compromises worldwide so they can respond confidently, without any manual research. Identity Intelligence automates the collection, analysis, and production of intelligence from open-source, dark-web, and technology entities, including unique sourcing of malware log information. It combines that intelligence with world-class research to deliver an unmatched source of truth for identity management and authentication at a massive scale.
Identity Intelligence covers the most prominent use cases that enterprises face in a landscape of employees, partners, supply chains, and customers in an era of account takeovers and identity fraud:
- Preventing business email compromise and account hijacking.
- Identifying and mitigating the risk of account takeover.
- Checking for risk automatically during critical events (such as password creation or reset).
- Monitoring employee and customer identities on an ongoing basis.
It represents an important tool for securing user identity, as remote work and digital interactions across multiple channels increase the responsibilities of security and IT teams.
Integration with Microsoft
Recorded Future has released an integration between Identity Intelligence and Microsoft Azure Active Directory. The integration monitors new, compromised credentials found by Recorded Future, and places at-risk users into one or more different security groups, based on the client’s security policies and the nature of the compromise. For example, credentials from bulk data dumps that have been circulated before may pose a relatively low risk and warrant only an “informational” warning to the user. On the other hand, credentials stolen recently by info stealer software are at high risk and require immediate remediation by the affected users.
Microsoft Azure Active Directory (Azure AD) supports identity protection and can score user risk as low, medium, or high. The integration with Identity Intelligence complements that insight, layering more context and transparency into the risks associated with users’ identities. The easiest way to do this is by placing an at-risk user into one or more security groups based on the Identity Intelligence available from Recorded Future and pushing the details of Recorded Future’s Identity Intelligence into Microsoft Sentinel. That allows forensic teams to examine the compromised credentials and respond to any potential incidents.
A Microsoft Sentinel example
Imagine how your company’s attack surface is constantly growing and your security team is seeing more events with each passing day. The team has too little context on user activity, so it can’t connect the dots between the external risk of detected threats and other insights. Its responses grow slower, increasing the likelihood that threats will slip through the cracks.
Identity Intelligence integrates with Azure AD through Azure Logic Apps. It uses one playbook to connect to Azure AD and Microsoft Sentinel and mitigate security risk by automatically positioning threat data in your Microsoft Sentinel environment. By layering real-time evidence on top of internal activity in Microsoft Sentinel, Identity Intelligence gives your security analysts the evidence they need to deal with threats.
Recorded Future is a member of the Microsoft Intelligent Security Association (MISA). It joins the independent software vendors and managed security service providers who integrate their solutions with Microsoft products to better defend against threats. Recorded Future indicators are also available as Microsoft Graph Security API indicators for use in security products from Microsoft and other partners.
Take the next step
Strong identity authentication is a must-have as your company faces a growing threat landscape and higher attack volumes.
Identity Intelligence from Recorded Future uses a combination of public sources and proprietary methods to help security teams to focus on the highest-risk user activity. It enables companies to address threats automatically, with out-of-the-box integrations and real-time insights for Azure AD and Microsoft Sentinel.
To learn more about the Microsoft Intelligent Security Association (MISA), visit the website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.