Blog post

Mitigating against the “original” APT – Annoyingly Persistent Teenager

By Nader Henein | September 24, 2022 | 0 Comments

Identity and Access Management and Fraud DetectionIdentity and Access Management for Technical ProfessionalsSecurity and Risk Management Leaders
Young girl playing the guitar
Photo by Felix Koutchinski on Unsplash


The Annoyingly Persistent Teenager strikes again!

Anyone who has raised children gets nagged on a regular basis, we either agree out of abject frustration or lose our temper, feel guilty and ultimately give into a “negotiated settlement”.

The capacity for children, particularly in their early teens, to repeatedly and without relent ask over and over for something is truly magnificent.

In the world of cyber security, this capacity to “nag” has been weaponized to great success by threat actors still within their teens. If you have been reading the news recently, you may have noticed the Uber cyber-attack where a contractor was nagged for their multi-factor authentication (MFA)  acknowledgment until they finally relented and clicked the “Approve” button.

At this point you are probably asking yourself “but how did the attacker get the contractors password?”. Though those details were not shared, passwords paired with a second factor of authentication still suffer the same weaknesses that they had before MFA came into the picture. Users reuse passwords across many sites and services and if one of those services suffers a breach, the user risks having that password reused in other services where they may have accounts.

Here are three steps to better mitigate against the original APT,

  1. Do not be lulled into a false sense of security because you have MFA. Both users and organizations let slip password hygiene because they have a second factor of authentication in place which – as this most recent attack shows – can be overcome simply by being annoying.
  2. Factor-in signals from the MFA authorization process into the decision of granting access. The correct password repeatedly given followed by a few dozen rejected MFA prompts should be flagged and the user – if they do ultimately log-in – should be challenged for a numeric verification which is a feature in many MFA platforms.
  3. Be realistic about your expectations of employee/contractor training. Employee awareness is a critical part of any cyber security strategy, but organizations often have wildly optimistic expectations from one or two hours of training per year, especially when that training is meant to overcome basic human nature.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed