MFA verifies who logged in. It has no idea what they do next.

In today’s ever-evolving landscape of cybersecurity threats, it’s no longer enough to rely solely on traditional methods of authentication. Multi-factor authentication (MFA) has become a standard security measure for many enterprises, providing an additional layer of protection to verify the identity of users. However, as recent incidents have shown, simply passing an MFA check does not guarantee complete security.

Imagine a scenario where every MFA check is passed, every login is deemed legitimate, and the compliance dashboard shows green across all identity controls. Yet, unbeknownst to the system, an attacker has managed to infiltrate the network and is moving laterally through Active Directory with a valid session token. This breach occurs not because MFA failed, but because it succeeded in authenticating the user at the front door and then went blind to subsequent activities.

This gap in security was identified by Alex Philips, the CIO at NOV, during operational testing. He discovered that revoking session tokens at the resource level was a critical vulnerability. Resetting passwords was no longer sufficient; instant revocation of session tokens was necessary to prevent lateral movement by attackers. This architectural blind spot exists in many enterprise identity stacks, allowing session tokens to act as bearer credentials with full permissions inherited by whoever holds them.

The shift in tactics by attackers has led to a decline in malware deployment, as stolen credentials and social engineering have proven to be more effective means of gaining access. With the rise of AI-generated deepfakes and sophisticated phishing techniques, the credential supply chain now operates at an industrial scale, making it imperative for organizations to reevaluate their security strategies.

The disconnect between Identity and Access Management (IAM) and Security Operations (SecOps) has created a gap where post-authentication sessions go unnoticed. As threats continue to evolve, it is essential for enterprises to adopt a more holistic approach to security that encompasses token lifecycle management, session governance, and cross-domain identity correlation.

NOV took proactive steps to address these gaps by implementing rapid token revocation, enforcing conditional access, and leveraging AI for log analysis. By shortening token lifetimes, implementing separation of duties, and establishing out-of-band incident verification protocols, NOV was able to significantly enhance its security posture.

To close the security gap, organizations are advised to prioritize several key actions, including shortening token lifetimes, running session revocation drills, mapping cross-domain telemetry, extending conditional access enforcement, and replacing vulnerable authentication methods with more secure alternatives such as FIDO2 and passkey-based authentication.

Ultimately, the responsibility falls on CISOs and security teams to proactively identify and address security gaps before attackers exploit them. By taking a proactive approach to identity security and investing in robust token lifecycle management, organizations can mitigate the risk of unauthorized access and data breaches.