Mitigating against the “original” APT – Annoyingly Persistent Teenager

The Annoyingly Persistent Teenager strikes again!

Anyone who has raised children gets nagged on a regular basis, we either agree out of abject frustration or lose our temper, feel guilty and ultimately give into a “negotiated settlement”.

The capacity for children, particularly in their early teens, to repeatedly and without relent ask over and over for something is truly magnificent.

In the world of cyber security, this capacity to “nag” has been weaponized to great success by threat actors still within their teens. If you have been reading the news recently, you may have noticed the Uber cyber-attack where a contractor was nagged for their multi-factor authentication (MFA)  acknowledgment until they finally relented and clicked the “Approve” button.

At this point you are probably asking yourself “but how did the attacker get the contractors password?”. Though those details were not shared, passwords paired with a second factor of authentication still suffer the same weaknesses that they had before MFA came into the picture. Users reuse passwords across many sites and services and if one of those services suffers a breach, the user risks having that password reused in other services where they may have accounts.

Here are three steps to better mitigate against the original APT,

1. Do not be lulled into a false sense of security because you have MFA. Both users and organizations let slip password hygiene because they have a second factor of authentication in place which – as this most recent attack shows – can be overcome simply by being annoying.
2. Factor-in signals from the MFA authorization process into the decision of granting access. The correct password repeatedly given followed by a few dozen rejected MFA prompts should be flagged and the user – if they do ultimately log-in – should be challenged for a numeric verification which is a feature in many MFA platforms.
3. Be realistic about your expectations of employee/contractor training. Employee awareness is a critical part of any cyber security strategy, but organizations often have wildly optimistic expectations from one or two hours of training per year, especially when that training is meant to overcome basic human nature.