2FA/MFA not living up to the hype?

This post might ruffle some feathers, and full disclaimer right off the bat. 2FA/MFA is good, and should be used, its better than not using it.  I am starting to see an alarming trend across the internet, forums,  security folks, MSP's all chanting in unison, 2FA!  2FA!  Framing it as the final answer to all your security woes, and almost like it will single handedly stop breaches in their tracks.  Nothing could be further from the truth, and in fact I believe is giving companies and their users a false sense of security.

My take might be unorthodox, but bear with me as I try to paint the "bigger picture" and why many people are not giving the root cause and still the largest attack vector the due diligence it needs.  Email Phishing and Business Email Compromise is how it all starts, almost every time.  You see, if a threat actor can make it through your filters, and get a user to click on a link, they have you. As we have seen with EvilProxy and other MiM attacks, they can intercept and harvest the auth tokens and other data they need to successfully get around the mighty 2FA.  Make no mistake, they are using this technique more and more and with precision like I have never seen before.  So whats the answer?  Well its more than I can fit in this this simple post, but I think cyber folks and MSP's need to switch their focus to the email filtering solution and the human element plain and simple.

Just earlier today, a governmental customer of ours got bombarded with a very crafty phishing email send out from a barracuda cloud protected 365 user account that was compromised.  To make a long story short, it went far and wide, involving many local, state and federal government entities, even ones with 3 letters in their names. The email filters they were using not only didn't block the phishing email, but many clicked on it,  which caused much pain for many of these organizations today.  

Big props to Avanan for being the number one platform out there hands down for sniffing out the sneaky threats when the other vendors cannot.  Barracuda, Mimecast, Proofpoint I am looking at you. I've used them all over the years, its not even close! We see it time and time again.  Avanan catches what MS ATP, Barracuda, Mimecast and Proofpoint lets through.

If a user cannot click the link to redirect them to a threat actors crafty trap. ie. EvilProxy server,  ultimately bypassing 2FA, due to being blocked, your already ahead.  When user education gives lackluster results, and 2FA can be defeated, one realizes just how critically important this part of your security stack is.  I argue the MOST important hands down from everything I am seeing lately.

The second part of this is user education, which is also a difficult nut to crack as well.  The human element will always be the weakest link.  Don't take shortcuts with Email filtering, something you CAN control.