The average breach takes 3-6 months of recon before an attacker makes their move. It then takes an organization roughly 197 days to identify a breach, then another 70 days to contain it, according to IBM. Twosense Continuous MFA detects a malicious user within one minute.
In an ever-changing digital landscape, it is imperative that organizations are one step ahead of threat actors.
BPOs Are At High Risk
BPOs are particularly vulnerable to being a target of breaches because attackers know that they are a back door to their customers’ infrastructure. While targeting contact centers is not new, it has become more common. An example of this is the Okta breach that occurred earlier this year when a threat actor gained access to sensitive information via an agent at Sitel’s contact center, subsequently compromising some of their clients’ information.
RDP Attacks Are Becoming More Common
A Remote Desktop Protocol Attack is a type of data breach which occurs via a user’s remote desktop protocol (or RDP). An RDP allows one computer to connect to another or a network without direct contact.
The Anatomy Of A Data Breach
As data breaches continue to become increasingly more common, and as threats are constantly evolving, so must security practices. There were 4,145 publicly disclosed breaches that exposed over 22 billion records in 2021 alone.
What is a data breach? A data breach is when security infrastructure is bypassed in order to gain access to a network or system, in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage, and data spill.
How data breaches happen:
Research: The cybercriminal looks for a weakness in the target's people, systems, or networks. This may include conducting research on the company’s employees and infrastructure. This phase can take months before an attacker gains the credentials they need.
Credential Theft: The cybercriminal obtains stolen credentials through cybercriminal marketplaces or via social attacks like a phishing email message, spam that carries malware, or even obtaining physical access to the company's premises by dressing up as office housekeeping staff, among others.
Lateral Movement: The attacker uses infrastructure, system, and application weaknesses as well as techniques like SQL injection, vulnerability exploitation, session hijacking, and the like in order to further penetrate the targeted organization's network. This phase can also take months before the attacker finds the valuable data they want.
Exfiltration: The cybercriminal extracts and transmits data back to him. This data can be proprietary or sensitive in nature or can comprise credentials that he may need for another attack or to get higher privileges inside his target’s network. The cybercriminal may have to stage more than one attack to get enough information and to gain a foothold in targeted systems in order to keep transmitting data.
An additional element that can often be overlooked is human error. In fact, Garner found in a 2019 study that 25% of all data breaches could be attributed to human error. All it takes is a single employee, innocently but unknowingly making a mistake like falling for a phishing attempt or accepting a push-notification (also known as prompt bombing, a well-known tactic used by Lapsus$ ) to defeat an org’s security perimeter.
Breaches Preventable With Continuous MFA
The Sitel/Okta breach occurred when Lapsus$ used social engineering to gain access to a customer support engineer's system, which allowed them to access vital information and settings. Lapsus$ is also known as a notorious threat actor group — DEV-0537.
Robinhood 2020- Unknown
The Robinhood breach started with a phone call to Robinhood’s customer support, according to the statement that was released. The hacker relied on social engineering to convince an employee to provide "access to certain customer support systems," Robinhood said, circumventing all of the security and access control systems.
SolarWinds 2020- Nobelium
In this hack, suspected state-sponsored hackers Nobelium – and often simply referred to as the SolarWinds Hackers by researchers – gained access to the networks, systems, and data of thousands of SolarWinds customers. The scope of the hack was unprecedented and one of the largest, if not the largest, of its kind to date.
How Continuous MFA Would Have Prevented the Breaches
In many cases, the attack would have never reached the customer network if the user hadn’t been fooled or annoyed into granting the attacker access. Twosense does not give the user the power to hand off a key or incorrectly respond to a push notification.
Notice the first RDP attack
Twosense Continuous MFA can detect a malicious user within one minute when they remote into a machine that has the Twosense agent installed. When attacks take months, reacting within one minute solves the problem before it can grow.
Lock the user out when their present behavior doesn’t match their historic behavior
The user’s session can be resumed when backup MFA has been passed, or a supervisor gets involved. With supervisors in the loop, the user’s identity can be confirmed by a manager that checks video footage or contacts the user. This step does not require IT involvement.
Get the security team involved
If a user cannot pass a fallback MFA check, or if a manager can’t verify their identity, Twosense will notify the IT or Security Ops team to begin an investigation.
The Ultimate Protection
When it comes to protecting customer data it is crucial to have solutions that work. With continuous monitoring and phishing-resistant biometrics, Twosense Continuous MFA is able to detect every attempt to access a protected machine by a malicious user. This enables teams to deploy multi-factor authentication everywhere, while simultaneously increasing the security posture of the organization without negatively impacting usability or agent efficiency.