Triggers

  • An account was observed disabling Multi-Factor Authentication (MFA) for another account.
  • The threat score is statically assigned.
  • The certainty score is statically assigned.

Possible Root Causes

  • An attacker is disabling MFA on an account to bypass this security control as a means of maintaining or acquiring additional access to the environment.
  • Administrators may disable MFA for accounts used by automated processes or to temporarily enable users to access an environment after losing their second factor device.

Business Impact

  • MFA is a critical security control that if bypassed may be indicative of an active threat in the environment or increase risk of the account becoming compromised in the future.
  • Compromised accounts provide attackers with access to critical systems and data which may be stolen, modified, or deleted.

Steps to Verify

  • Review the account and internal policy to determine if MFA should be enabled for this account.
  • Verify the action of disabling MFA on this account was intentional and followed internal security policies and change control processes.