It takes more than MFA to beat human hacking

While multi-factor authentication (MFA) is a much-needed addition to an effective cyber defense strategy, it is by no means foolproof. In fact, no single security effort can ever be considered entirely effective when facing off against threat actors that use automation to evade detection and identify an enterprise’s weak points. Instead, organizations must view MFA as another layer of security that helps mitigate against the risk of potential compromise.

With artificial intelligence (AI) and machine learning (ML) offering a better return on investment, businesses are considering these technologies as viable options to improve their security posture. Using AI and ML through powerful cloud-based environments is allowing more organizations to access high-performance computing features which creates additional opportunities to benefit from real-time data analytics.

A legitimate launchpad

Unfortunately, cybercriminals, whether state-sponsored or financially motivated, can also take advantage of legitimate infrastructure to launch attacks. While sophisticated technology can strengthen systems, it is being demonstrated almost daily that threat actors will also use it to their own advantage.

Legitimate cloud services like Microsoft, Google, Dropbox, and others have become one of the most significant threat vectors facing IT security teams today. Thanks to the combination of whitelisting these environments and users believing these seemingly trusted domains to be completely safe, companies are becoming exposed to compromises at unprecedented levels. For instance, in one attack, approximately 50,000 unique phishing attempts came from the legitimate domain of just one service provider.

With automation simplifying the propagation of hyper-targeted attacks on an hourly basis, security teams can no longer be the sole custodians of defense. Organizations must embrace automated solutions capable of adapting to known and unknown threats by flagging suspicious behavior and stopping it proactively without relying only on IT personnel to do so.

Rethinking security

This new security landscape highlights the need to reinvent traditional approaches to cybersecurity. In part, MFA was intended to thwart a range of compromises that include phishing, spear phishing, credential stealing, and man-in-the-middle (MitM) attacks. But thanks to automation, AI, and ML, bad actors are succeeding at bypassing it.

Another challenge to security teams is the fact that phishing is no longer limited to just emails. Smishing (SMS and IM messages) and vishing (telephone calls) are gaining prominence.

Trust nothing

As organizations face the challenge of sophisticated cyberattacks, it is important to remember many employees do not realize they are targets. They may believe hackers only target high-ranking executives, while in fact nearly any employee can be compromised by human hackers. Bad actors track their best targets in a sophisticated way and always go after “low-hanging fruit” for phishing attacks. Then once their accounts are successfully compromised, it becomes easier for threat agents to infiltrate the network and move on to the high-value targets.

It is also important to underscore how sophisticated spear phishing, vendor email compromise and other forms of social engineering have become. It is no longer possible for humans to detect the attacks as they appear fully legitimate – sometimes even to trained security experts. What that means for organizations is that training employees to be aware that they may be targets and steps they can take to increase security is important – but it will not be a fix-all protection against ongoing attacks.

Protecting remote workers from sophisticated phishing attacks requires a toolbox that extends beyond MFA and covers several attack vectors. It is no longer good enough to rely on URL inspection, domain reputation, MFA, malware intrusion prevention systems, firewalls, and anti-virus. More must be done to harness the power of AI, ML, and automation to fight fire with fire.

The year of the phish

To respond, organizations must move their focus from trying to protect against software and hardware exploits to protections against human hacking attacks happening in every communication medium.

The numbers indicate that phishing is the new battlefield in the fight against cyberattacks. It is estimated that 91 percent of all cyberattacks – mostly ever-increasing ransomware attacks – begin with spear-phishing, and that the global cost of ransomware recovery will exceed $20 billion in 2021. Attackers are successfully luring people into installing malicious browser extensions that hijack already authenticated sessions and stealing credentials at an increasingly concerning rate, so more must be done to shore up an organization’s defenses.

Technological change

Ongoing employee training is essential, but the endpoints must also be protected with an on-device AI phishing defense, one that combines natural language and link-based detection to protect users from the exponential increase in mobile-based smishing attacks. This approach also enhances the MFA security layer by inspecting URLs at cloud-scale using virtual browsers that overcome sophisticated evasion techniques.

Think of this as Phishing Defense 2.0 in the cybersecurity playbook. No organization can be assured that employees will stop clicking on phishing links or falling prey to exploits that bypass MFA. By combining natural language processing, computer vision, and behavioral analysis, a company can detect and block threats hours and even days before more traditional solutions catch up.

Constant vigilance leveraging zero trust combined with automated, AI, and ML-driven technology is the new weapon against attacks that exploit the human element. An effective strategy is a multi-layered approach that delivers agility to adapt to evolving threat vectors. MFA remains a vital piece of an effective phishing defense, but it is only a piece – there must be additional defensive measures in place to keep company data and systems as secure as possible.