Is Multifactor Authentication Changing the Threat Landscape?

 

Changes to the cybersecurity threat landscape are constant and dynamic: threat actor groups come and go, alter tactics, techniques and procedures (TTPs) and adjust to new defensive mechanisms. Over time, both cyber criminal gangs and nation-state actors endure arrests and swap individuals in what can appear to be an ongoing arms race between good and evil.

 

Occasionally, new technologies have the power to shift the threat landscape in a dramatic fashion. When these shifts occur in favor of the defender, they provide confidence that progress is on the side of the defenders. X-Force data shows the early signs of one of these dramatic shifts right now, as more organizations implement multifactor authentication (MFA). A shift in how attackers gain an initial foothold in organizations may prove that MFA is forcing more threat actors to abandon using stolen credentials to gain unauthorized access into systems.

 

X-Force incident response data from 2020 reveals a significant decrease in business email compromise (BEC) attacks and attackers’ use of credential theft or brute force as an initial infection vector. For attackers that rely on stolen credentials, MFA is now creating effective barriers to success, and X-Force has observed cases in which threat actors immediately abandoned operations after encountering an MFA prompt.

 

Is MFA the end-all? Obviously, attacker skill and motivations play a major role in how they approach intrusion and account takeover — including methods for circumventing MFA — but for the attackers who cannot tackle MFA, we could be looking at the beginning of a new era.

 

Business Email Compromise Attacks Are Down

One of the symptoms X-Force correlated with an increase in clients’ implementation of MFA is a 38% drop in BEC attacks between 2019 and 2020. BEC attacks accounted for only 9% of all attacks observed by X-Force in 2020, compared to 14% of all attacks in 2019. This trend is good news, as BEC attacks have siphoned billions of dollars out of organizations worldwide, right into the hands of attackers.

X-Force is certainly not the only organization watching BEC attacks. The FBI, which tracks these attacks based on victim complaints, noted a 19% decrease in the number of BEC complaints in 2020. In fact, the number of FBI complaints in 2020 (19,369) was at its lowest in three years, compared to 23,775 complaints in 2019 and 20,373 complaints reported in 2018.

Read the rest of this post here.