How to detect MFA spamming with Falco

Falco has expanded its capabilities to detect multi-factor authentication (MFA) spamming, a technique used by groups like Lapsus$ to gain unauthorized access to systems by overwhelming users with repeated login requests. This method, also known as MFA fatigue, was employed in the high-profile Uber cybersecurity incident, emphasizing the importance of vigilance against social engineering attacks. Falco, widely recognized for its runtime security in Linux and Kubernetes environments, has developed an Okta plugin to monitor and alert on unusual MFA activities, such as excessive denies or failures in Okta logs. This tool helps organizations take preventive measures by generating alerts when suspicious patterns occur, thus enhancing their defense mechanisms against credential-based attacks. Despite robust security protocols at companies like Uber, the incident underscores the persistent threat of social engineering attacks and the need for continuous improvement in security practices, including proper management of access credentials and anomaly detection.