The financial sector has long been a primary target for threat actors. However, the unique infrastructure of core financial systems means these critical resources often fall outside the scope of standard security solutions.
Multifactor authentication (MFA) is one such solution. We ask Yiftach Keshet, Director of Product Marketing at Silverfort, what are the limitations of traditional MFA to the finance industry, and what can be done to start protecting these unprotectable core systems.
Q: What are the security challenges with traditional MFA?
Multifactor authentication (MFA) has become something of a default secondary line of defence against credential theft. Requiring users to input two or more verification factors in addition to their username/password combination makes it much more difficult for threat actors to simply access the network with credentials stolen through phishing or a previous breach.
However, the system is far from perfect and presents several challenges. One issue is that MFA is rarely fully supported by legacy banking infrastructure or command-line access to servers and workstations.
Kerberos and NTLM, two of the most common authentication protocols in on-premises environments, don’t support MFA. As such, an attacker that has infiltrated the network and managed to obtain user credantials will be able to access critical servers without going through the MFA process.
Alongside this, traditional MFA is usually deployed at the resource level. In a high-scale environment it practically means that full coverage of all resources with agents or proxies will never take place. Additionally, as businesses continue to grow their digital footprints, the resources required to deploy, configure and maintain MFA quickly increases. This can quickly become unmanageable, particularly in the financial sector where digital transformation has been a leading priority for the last few years.
As a result of these issues, core banking resources are often excluded from MFA protection. This greatly increases the organisation’s risk exposure, as threat actors that make it inside the network may potentially gain full access to critical systems with few effective checks or barriers.
Financial organisations need to change their approach to MFA if they are to close this critical gap in their defences.
Q: How can these challenges be overcome?
The shortcomings of traditional MFA can be overcome with a new model known as Unified Threat Protection. Rather than being applied individually at a resource level, this is an agentless, proxyless approach that natively integrates with the organisation’s Active Directory and Identity and Access Management (IAM) solutions. This means it can be uniformly applied to continuously monitor, analyse and enforce MFA policies across the entire environment.
Because all authentication requests are handled through the organisation’s IAM solution, directly integrating MFA at this point solves the coverage problem. Not only is it far easier to scale MFA as the organisation’s IT footprint expands, but an MFA layer can now also be applied to core banking infrastructure that was previously unprotected.
Q: What are the use cases for using MFA to improve safety practices for banking?
There are multiple financial use cases that stand to benefit from the Unified Threat Protection approach to MFA.
The first and foremost of these, is the access to the banking applications that don’t natively support MFA today. This new approach enables them for the first time to obtain the same level of secure access that modern SaaS applications have.
Remote access tools, for example, have become extremely important in the new world of remote and hybrid workforces. However, because standard MFA typically needs to be deployed individually to each endpoint, it is common to find many machines in the environment are not protected, creating a critical attack path for threat actors. The new agentless MFA model can be directly integrated with Active Directory, ensuring that all machines are equally protected, regardless of location.
In another example, admins at financial institutions typically use command-line tools such as PsExec, Remote PowerShell, and WMI for configuring, managing and troubleshooting machines in their environments. However, these same toolsets are exploited by threat actors to spread ransomware and achieve lateral movement. If the authentication protocol of command-line tools is not protected by MFA, attackers can use these tools to access and manipulate the system.
Again, the agentless and proxyless nature of the Unified Threat Protection model closes this gap as all core systems will require MFA, significantly slowing or even completely stopping any threat actor within the network.
Q: How a bank can bolster their cyber resiliency against ransomware with MFA?
Ransomware has begun to dominate the threat landscape in recent years. Financial organisations have a lot to lose, because a ransomware outbreak rampaging through their core systems could cripple the enterprise and cost millions in lost business and recovery efforts – even before factoring in legal and regulatory impact if customer data is compromised. File shares are a common method for accessing systems and propagating ransomware to increase its impact.
Traditional MFA has proven to be ineffective against the threat of ransomware, as it cannot be applied to file shares managed by a CIFS (Common Internet File System) authentication protocol. However, a Unified Identity Protection MFA can cover this gap as it can apply coverage through Active Directory, regardless of which protocols are being used.
