Initial Access Breaches Businesses Miss
Cybersecurity has many different avenues. Some avenues lead to the dark web, some lead to rescuing humans from violence and harassment, and others protect multi-billion dollar companies. Many individuals practice cybersecurity to either harden networks, devices and applications, and others choose the route of financial gain or nation backed agenda. In this article, we will be discussing detection strategy for an often overlooked attack vector.
In recent years, there have been major hacks related with SIM swapping. This vulnerability is often overlooked in many organizations due to the psychological comfort and smoke that MFA presents. If all our employees need to verify who they are with MFA, then we are safe, right? Not necessarily, many large companies have been breached due to this oversight. For example, the hack with Twitter CEO, Reddit, FTX, Coinbase, Robinhood and others. The kicker is these companies most likely invest millions into cybersecurity posture, but they seemed to not prioritize a highly vulnerable asset, the employee.
This is why detection engineering is valuable for large companies. Detection engineering involves using SIEM tool to design queries to correlate data in logs to detect threats in an environment. As threats evolve, so must detection rules and response strategies. Of course, building automated response playbooks is ideal in remediating incidents with minimal time to remediation, but to begin with, an accurate query must be designed to detect what companies overlook or unaware.
Bypassing MFA
The most common threats that cause a data breach involve the initial access phase of an attack. Initial access main attack vector is social engineering. This involves phishing, vishing, smishing and anything else that takes control of human psychology and emotion. Social engineering campaigns target employees of a company to gain initial foothold. Security solutions are advancing, but so are threats.
SMS based attacks allows a hacker to bypass MFA by gaining access to the employee text messages. Social engineering an employee cellular provider to provide a SIM will grant access to the users’ text messaging, including a OTP. Therefore, creating a detection rule using identity management security solution to gather risk data regarding a login can help identify a threat actor bypassing MFA.
A simple example of a query that can detect this takes advantage of Azures Entra ID Protection logs to detect when an employee has risk associated with a login with a SMS OTP being used to perform MFA. Make modifications as needed to make the query oriented towards your environment to meet your organizations security and operational requirements.
Example
SigninLogs
| where <SMS OTP collum name or can be derived> contains “text”
| where RiskLevelDuringSignIn !contains “none”
| where ConditionalAccessStatus contains “success”
Recommendation
To mitigate bypassing MFA with the use of SMS OTP. The MFA policy must be modified to not allow the use of SMS OTP to perform MFA. Another level of remediation is using playbook SOAR capabilities to remediate the alert, whether a low or high risk tolerance is part of the organizations risk appetite. If the organization has a low risk tolerance, then a playbook can be designed to reset the user password and revoke the active sessions. However, if a high risk tolerance is practiced in the organization, then a playbook can automate communications with the employee to figure out if it is a false or true positive, thus allowing the security operator to take action.