Defense evasion

[jacques-]

@jukelennings - what are you thinking is the definition of Defense Evasion for this? I was reading "MFA fatigue" technique, and now I'm wondering if an MFA bypass technique is defense evasion, or if it needs to be specifically attack detection evasion?

On that note, around MFA fatigue, I've seen it called "MFA bombing" as well, that sounds a bit more like an attack. Do you think "MFA Fatigue" is more recognizable?

[jukelennings]

The original MITRE definition is more around avoiding detection e.g. obfuscation type techniques, so I figured this fit more as an actual exploitation method.

I did see MFA bombing too and quite like the name! However, I also saw references of "MFA fatigue, also known as MFA bombing" and so I took it as being MFA fatigue being the most well known.

It's a good point though on attacks. MFA bombing sounds like an attack, MFA fatigue perhaps needs the word "attack" added after to make it more clear. So maybe that's an argument for changing to MFA bombing anyway?

[mmoran0032]

Yeah, defense evasion is a weird one, since the utilization of a SaaS app is in and of itself a defense evasion technique for existing XDR systems. Within ATT&CK, the token/cookie/session theft or impersonation is probably the most similar here.

If I log into a SaaS app through my browser, could that be hijacked? Since the creation of the session itself went through security controls, unless those are checked and vetted again, my usage of that session token would avoid scrutiny, thus defense evasion.

I think where you have MFA fatigue now makes sense. That is one way to open the door, once you already have the key, and would be subject to access controls based on the adversary's device characteristics.

So, I think it comes down to "what type of MFA bypass?"

• Session token theft: defense evasion
• Finding weak access controls that use a weaker/non-existant MFA method: discovery
• MFA fatigue: initial access
• MFA spray: initial access

IMHO, I dislike that "bypass" has been used to incorporate techniques that use MFA. It just doesn't match up in my head. It's too broad of a category to really mean much at this point.

[jukelennings]

Thanks for the input! Yeah, that definitely makes sense to me. I feel like MFA fatigue would be analogous to password guessing and catching a weak password, which is definitely initial access. It's also definitely not a stealthy method since you're spamming auth, which distances it from defense evasion in my eyes too.