When it comes to writing custom tooling for engagements, the motivations associated with it often vary. At a high level, as a consultancy, having the capabilities to produce allows us to offer a niche but more realistic engagement. We can emulate the adversaries who target similar businesses in the same industry – ultimately giving the client a better assessment of their overall security posture through a profound offence against their various defensive capabilities.
Multi-Factor Authentication (MFA) has been widely adopted over the years as a means to enhance the security of authentication processes for all sorts of systems. It has somewhat become a must-have security control in order for organisations to claim that their systems have a withstanding security posture. This is especially true for organisations willing to be compliant with information security specifications, such as ISO 27001 and Cyber Essentials.
However, it has been demonstrated time and again that even when MFA is put in place, it can be circumvented. The recent attack on Uber is a rather convincing example of this. The attack itself is not the topic of this post, but it serves as an incentive to remind ourselves that an authentication process that mandates MFA from its’ users is not impenetrable.
In this blog post, we will be comparing the most common and prominent MFA methods with a focus on their usage within organisations’ internal infrastructure, as that is where the impact can be menacing.
In October 2022, we completed an internal security assessment for a large tech organisation with clients in the legal industry, focused around the handling of sensitive documents for other companies. The scope was focused on their “user network” – which hosted their active directory domain which all of their workstations and laptops were all connected to. Our scenario assumed access to their office – while this may seem like a fairly extreme position to start with, our first day we arrived at their office, we were able to walk in and someone helpfully held the door open for us without asking who we were…