Knowing where access attempts come from, the key to MFA

Cyberattacks in the field of geopolitics are playing an increasingly important role. 2020 was an intense year during which the pandemic was used for disinformation campaigns and there were serious incidents caused by groups linked to foreign powers. One of the most striking cases of 2021 occurred last month: the German government has revealed that it has "reliable information" that recent cyberattacks against member states of the European Union are the work of Russian "actors" linked to the GRU and Russian intelligence agency.  

This cyber campaign has been dubbed "Ghostwriter" and targeted "numerous members of parliament, government officials, politicians, members of the press and civil society in the EU" according to a press release issued by the European Council. The hackers used phishing emails in order to obtain credentials, access their systems and steal information.   

Advance Persistent Threat (APT) Groups  

In this scenario, protecting user credentials is becoming increasingly important. A few weeks ago, we pointed out that passwords from companies that have been leaked to the dark web had shot up by 429% since last March.  

But beyond these massive leaks in which malicious cyber actors put large amounts of data up for sale, cases like Ghostwriter show that state-linked and highly targeted APT groups also pose a serious risk to the security of an organization’s credentials.  

These hackers have the resources to investigate their potential victims and their work environments individually. After performing this preliminary research, they use social engineering methods such as spear phishing, where they manage to confuse their targets by simulating the identity of other colleagues, the IT team or even their superiors (in so-called "CEO fraud"). By using this method, they can fool them to obtain their credentials, even if the users are versed in cybersecurity practices. 

As such sophisticated threats are coming from abroad, this raises the question of how organizations and states can protect themselves to thwart breaches and cyberattacks from specific geographies? One of the answers to this question is multi-factor authentication with geolocation.   

MFA with geofence risk policies 

Politicians, officials and other relevant persons affected in the Ghostwriter campaign could have avoided the incident if their organizations had deployed cybersecurity tools that provided specific geofencing measures against access attempts from Russia, given their track record.  

But these geofencing measures must be combined with advanced multi-factor authentication (MFA) solutions that offer risk-based authentication capabilities to ensure that whoever enters the credentials to log in to the system is a legitimate user or employee.  

In this regard, WatchGuard AuthPoint provides an advanced security layer using risk-based authentication to determine factors when performing an authentication decision. For example, administrators can enable geofence risk policies (very easily via WatchGuard Cloud) to ensure that access only occurs in authorized geographies, even if it comes from seemingly legitimate devices.  

The good thing about risk-based authentication is that it takes risk factors into account when performing an authentication decision. It goes beyond a static authentication, allowing administrators to create rules that can modify the authentication behavior, sometimes making it easier if the risk is low; or asking for additional steps to ensure this is the right user, and blocking the access if the risk is too high, even if the user provided a correct one-time password (OTP).  

Adding value if you are a managed service provider (MSP) 

WatchGuard partners can offer their customers increased security in their authentication processes through push notifications that include geolocation. This allows both administrators and users to know in detail where the request came from. This greatly reduces the likelihood of foreign APT groups gaining access to their systems, even if they have previously managed to obtain credentials.  Watch this video lo learn more about AuthPoint Geofence Policy.