Overview

Overseas MFA failure

The overseas MFA failure alert is trigged when authentication is almost successful from a country outside the allowed list, however it does not complete due the Multi-Factor-Authentication (MFA) failing.

Group 165

Impact

Real world impact

Problems Faced

If you have team members working from multiple counties, you can specify required countries as allowed.  If a user account fails to complete MFA from outside the allowed countries list, then the alert will be triggered. This alert is designed to help detect accounts that have had their username and password compromised/hi-jacked, with only MFA being in the way of a complete login (and account compromise).

Solution

How is this check useful in the real world? As a simple example, take a user account (say Harry). Harry is located in Australia.  If Harry’s account one day almost, barring MFA, logs in from a different country (say the UK), then it might be a sign of a compromised account.   If it was not Harry traveling, then it might be a sign of an almost compromised account. Whilst the attacker doesn’t have complete control of the account yet, the username and password may be compromised.   If the login was not from Harry, then in this situation we would suggest an immediate password change, review of login history, and investigation in to the source of the potential compromise.

 

Prevention

What are the main questions you should consider when working out how to manage this risk?

 

  • Do you have any system or solution in place to detect overseas MFA failures?
  • If there was an overseas login rejected only because of MFA today, would you find out?
  • How long do you think it would take to find out that one of your user accounts was potentially compromised, except for MFA?
  • Have you ever checked your system for overseas MFA failures?
  • What would the impact be on your organisation if a user account was compromised from an extended period of time without detection?

Problems Faced

If you have team members working from multiple counties, you can specify required countries as allowed.  If a user account fails to complete MFA from outside the allowed countries list, then the alert will be triggered. This alert is designed to help detect accounts that have had their username and password compromised/hi-jacked, with only MFA being in the way of a complete login (and account compromise).

Solution

How is this check useful in the real world? As a simple example, take a user account (say Harry). Harry is located in Australia.  If Harry’s account one day almost, barring MFA, logs in from a different country (say the UK), then it might be a sign of a compromised account.   If it was not Harry traveling, then it might be a sign of an almost compromised account. Whilst the attacker doesn’t have complete control of the account yet, the username and password may be compromised.   If the login was not from Harry, then in this situation we would suggest an immediate password change, review of login history, and investigation in to the source of the potential compromise.

 

Prevention

What are the main questions you should consider when working out how to manage this risk?

 

  • Do you have any system or solution in place to detect overseas MFA failures?
  • If there was an overseas login rejected only because of MFA today, would you find out?
  • How long do you think it would take to find out that one of your user accounts was potentially compromised, except for MFA?
  • Have you ever checked your system for overseas MFA failures?
  • What would the impact be on your organisation if a user account was compromised from an extended period of time without detection?

CatchBefore it is too late!

Your data is actively being targeted. Safeguard your information with proactive measures.