![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>\n<\/p>\n
Let\u2019s say that, during the middle of a busy day, you receive what looks like a work-related email with a QR code. The email claims to come from a coworker, requesting your help in reviewing a document.\u00a0 You scan the QR code with your phone and it takes you to what looks like a Microsoft 365 sign-in page. You enter your credentials; however, nothing seems to load.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n Not thinking much of it, and being a busy day, you continue to go about your work. A couple minutes later a notification buzzes your phone. Not picking it up immediately, another notification comes. Then another, and another after that.\u00a0<\/span>\u00a0<\/span><\/p>\n Wondering what\u2019s going on, you grab the phone to find a series of multi-factor authentication (MFA) notifications. You had just attempted to log into Microsoft 365, maybe there was a delay in receiving the MFA notification? You approve one and return to the Microsoft 365 page. The page still hasn\u2019t loaded, so you get back to work and resolve to check it later.<\/span>\u00a0<\/span><\/p>\n This is very similar to an attack that Cisco Talos Intelligence discusses in their latest <\/span>Talos Incident Response (IR) Quarterly Report<\/span>. In this case the Microsoft 365 sign-in page was fake, set up by threat actors. These attackers used compromised credentials to repeatedly attempt to sign in to the company\u2019s real Microsoft 365 page, triggering the series of MFA notifications\u2014an attack technique known as <\/span>MFA exhaustion<\/span>. In the end, some employees who were targeted approved the MFA requests and the attackers gained access to these accounts.<\/span>\u00a0<\/span><\/p>\n While the use of QR codes is a relatively recent development in phishing, attacks like the one described by Talos have been around for years. Most phishing attacks employ similar social engineering techniques to trick users into turning over their credentials. <\/span>Phishing is frequently one of the top means of gaining initial access<\/span> in the Talos Incident Response Quarterly Report.\u00a0<\/span>\u00a0<\/span><\/p>\n Attackers hammering MFA-protected accounts is also a concerning development in the identity threat landscape. But sadly, most successful credential compromise attacks occur with accounts that don\u2019t have MFA enabled.\u00a0<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n According to this <\/span>quarter\u2019s Talos IR report<\/span>, using compromised credentials on valid accounts was one of two top initial access vectors. This aligns with findings from Verizon\u2019s <\/span>2023 Data Breach Investigations Report<\/span>, where the use of compromised credentials was the top first-stage attack (initial access) in 44.7% of breaches.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n The silver lining is that this appears to be improving. Early last year, in <\/span>research published by Oort<\/span>1<\/span>, now a part of Cisco, found that 40% of accounts in the average company had weak or no MFA in the second half of 2022. Looking at updated telemetry from February 2024, this number has dropped significantly to 15%. The change has a lot to do with wider understanding of identity protection, but also an increase in awareness thanks to an uptick in attacks that have targeted accounts relying on base credentials alone for protection.<\/span>\u00a0<\/span><\/p>\n Phishing, while one of the most popular methods, isn\u2019t the only way that attackers gather compromised credentials. Attackers often attempt to <\/span>brute force<\/span> or <\/span>password spraying<\/span> attacks, deploying <\/span>keyloggers<\/span>, or <\/span>dumping credentials<\/span>.<\/span>\u00a0<\/span><\/p>\n These are just a few of the techniques that threat actors use to gather credentials. For a more elaborate explanation, Talos recently published an excellent breakdown of <\/span>how credentials are stolen and used by threat actors<\/span> that is worth taking a look at.<\/span>\u00a0<\/span><\/p>\n Why might an attacker, who has already gained access to a computer, attempt to gain new credentials?\u00a0 Simply put, not all credentials are created equal.<\/span>\u00a0<\/span><\/p>\n While an attacker can gain a foothold in a network using an ordinary user account, it\u2019s unlikely they\u2019ll be able to further their attacks due to limited permissions. It\u2019s like having a key that unlocks one door, where what you\u2019re really after is the skeleton key that unlocks all the doors.<\/span>\u00a0<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n That skeleton key would be a high-level access account such as an administrator or system user. Targeting administrators makes sense because their elevated privileges allow an attacker more control of a system. And target them they do. According to Cisco\u2019s telemetry, administrator accounts see three times as many failed logins as a regular user account.\u00a0<\/span>\u00a0<\/span><\/p>\n Another resource threat actors target is credentials for accounts that are no longer in use. These dormant accounts tend to be legacy accounts for older systems, accounts for former users that have not been cleared from the directory, or temporary accounts that are no longer needed. Sometimes the accounts can include more than one of the above options, and even include administrative privileges.\u00a0<\/span>\u00a0<\/span><\/p>\n Dormant accounts are an often-overlooked security issue. According to Cisco\u2019s telemetry, 39% of the total identities within the average organization have had no activity within the last 30 days. This is a 60% increase from 2022.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n Guest accounts are an account type that repeatedly gets overlooked. While a convenient option for temporary, restricted access, these often password-free accounts are frequently left enabled long after they are needed.\u00a0<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n And their use is increasing. In February 2024, almost 11% of identities examined are guest accounts\u2014 representing a 233% jump from the 3% reported in 2022. While we can only speculate, it is possible that cloud-adoption and remote work contributed to this rise, as enterprises used temporary accounts to stage new services and applications or enable remote workloads in the short-term. The use of temporary accounts is understandable, but if they\u2019re forgotten or ignored, these shortcuts represent a serious risk.\u00a0<\/span>\u00a0<\/span><\/p>\n It goes without saying that protecting credentials from being compromised and abused is important. However, eradicating this threat is challenging.\u00a0<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n One of the best ways to defend against these attacks is by using MFA. Simply confirming that a user is who they say they are\u2014by checking on another device or communication form\u2014can go a long way towards preventing compromised credentials from being used.\u00a0<\/span>\u00a0<\/span><\/p>\n Duo MFA<\/span>, now available as part of <\/span>Cisco User Protection Suite<\/span>, provides robust security that is flexible for users, but rigid against the use of compromised credentials. The interface provides a simple and fast, non-disruptive authentication experience, helping users focus their time on what matters most.<\/span>\u00a0<\/span><\/p>\n No doubt, deploying MFA can help in prevent compromised credential abuse. However, it isn\u2019t a silver bullet. There are a few ways that threat actors can sidestep MFA.\u00a0<\/span>\u00a0<\/span><\/p>\n Some MFA forms, such as those that use SMS, can be manipulated by threat actors. In these cases\u2014frequently referred to as <\/span>Adversary in the Middle (AitM)<\/span> attacks\u2014the attacker intercepts the MFA SMS, either through social engineering or by compromising the mobile device. The attacker can then input the MFA SMS when prompted and gain access to the targeted account.<\/span>\u00a0<\/span><\/p>\n The good news here is that there has been a drop in the use of SMS as a second factor. In 2022, 20% of logins leveraged SMS-based authentication. As of February 2024, this number has declined 66%, to just 6.6% of authentications. That is a tremendous change, and a positive one at that. In addition to AitM attacks, <\/span>SIM swapping<\/span> attacks have all but rendered SMS-based authentication checks useless.\u00a0<\/span>\u00a0<\/span><\/p>\n This is backed up by research coming from the <\/span>2024 Duo Trusted Access Report<\/span>,<\/span> where using SMS texts and phone calls as a second factor has dropped to 4.9% of authentications, compared to 22% in 2022.<\/span>\u00a0<\/span><\/p>\n If you really want to reduce your reliance on passwords when confirming credentials, another option is <\/span>Duo\u2019s passwordless authentication<\/span>. Passwordless authentication is a group of identity verification methods that don\u2019t rely on passwords at all. <\/span>Biometrics<\/span>, security keys, and passcodes from authenticator apps can all be used for passwordless authentication.<\/span>\u00a0<\/span><\/p>\n Based on the numbers, passwordless is the new trend. In 2022, phishing resistant authentication methods such as passwordless accounted for less than 2% of logins. However, in 2024, Cisco\u2019s telemetry shows this number is climbing, currently representing 20%, or nearly a 10x increase. This is great news, but still highlights a critical point\u201480% are still not using strong MFA.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n Recall the MFA exhaustion attack Talos described in their latest IR report.\u00a0<\/span>\u00a0<\/span><\/p>\n Talos\u2019 example does highlight how there are select circumstances where attackers can still get past MFA. A distracted or frustrated user may simply accept a notification just to silence the application. In this case, user education can go a long way towards preventing these attacks from succeeding, but there is more that can be done.\u00a0<\/span>\u00a0<\/span><\/p>\n Cisco has recently introduced the first-of-its-kind <\/span>Cisco Identity Intelligence<\/span> to help protect against identity-based attacks like these. This groundbreaking technology can detect unusual identity patterns, based on behavior, when combined with Duo.\u00a0<\/span>\u00a0<\/span><\/p>\n To illustrate, let\u2019s look at when the threat actor begins hammering the login with the compromised credentials. Identity Intelligence can recognize anomalies such as MFA floods, as well as the moment the user gets annoyed and accepts the request.\u00a0<\/span>\u00a0<\/span><\/p>\n It can also pinpoint anomalies such as a user signing in from an unmanaged device in a location that would be impossible for them to reach\u2014say Peculiar, Missouri\u2014given they had just logged in an hour ago from Normal, Illinois.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n Cisco Identity Intelligence will directly address the visibility gap between authenticated identities and trusted access by a data-driven and AI-first approach. Cisco Identity Intelligence is a multi-sourced, vendor agnostic, investment-preserving solution that works across the existing identity stack and brings together authentication and access insights to deliver a very strong security defense.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n Cisco customers interested in signing up for the public preview <\/span>can fill out a request to join<\/span> today.\u00a0<\/span>\u00a0<\/span><\/p>\n We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!<\/em><\/p>\n Cisco Security Social Channels<\/strong><\/p>\n Instagram<\/strong> Share:<\/p>\n \n \t<\/div>\nMore than the annoyance of changing your password\u00a0<\/span><\/strong><\/h2>\n
![\"\"](\"https:\/\/storage.googleapis.com\/blogs-images\/ciscoblogs\/1\/2024\/04\/Cisco-Identity-Intelligence-Blog-Graphic_1-1-1024x535.jpg\")
<\/p>\nHow credentials are compromised\u00a0<\/span><\/strong><\/h2>\n
Not all credentials are created equal\u00a0<\/span><\/strong><\/h2>\n
![\"\"](\"https:\/\/storage.googleapis.com\/blogs-images\/ciscoblogs\/1\/2024\/04\/Cisco-Identity-Intelligence-Blog-Graphic_2-1-1024x536.jpg\")
<\/p>\n![\"\"](\"https:\/\/storage.googleapis.com\/blogs-images\/ciscoblogs\/1\/2024\/04\/Cisco-Identity-Intelligence-Blog-Graphic_3-1-1024x536.jpg\")
<\/p>\nReducing the impact of compromised credentials\u00a0<\/span><\/strong><\/h2>\n
MFA is not a silver bullet\u00a0<\/span><\/strong><\/h2>\n
![\"\"](\"https:\/\/storage.googleapis.com\/blogs-images\/ciscoblogs\/1\/2024\/04\/Cisco-Identity-Intelligence-Blog-Graphic_4-1-1024x537.jpg\")
<\/p>\nGoing passwordless\u00a0<\/strong><\/span><\/h2>\n
![\"\"](\"https:\/\/storage.googleapis.com\/blogs-images\/ciscoblogs\/1\/2024\/04\/Cisco-Identity-Intelligence-Blog-Graphic_5-1-1024x536.jpg\")
<\/p>\nProtecting MFA from threat actors\u00a0<\/span><\/strong><\/h2>\n
![\"\"](\"https:\/\/storage.googleapis.com\/blogs-images\/ciscoblogs\/1\/2024\/04\/Cisco-Identity-Intelligence-Blog-Graphic_6-1-1024x536.jpg\")
<\/p>\n
Facebook<\/strong>
Twitter<\/a><\/strong>
LinkedIn<\/strong><\/p>\n