it

MFA verifies who logged in. It has no idea what they do next.

Published: (May 21, 2026 at 12:30 PM EDT)
8 min read
Source: VentureBeat

Source: VentureBeat

Introduction

Every MFA check passed. Every login was legitimate. The compliance dashboard was green across every identity control. And the attacker was already inside, moving laterally through Active Directory with a valid session token, escalating privileges on a trajectory toward the domain controller.

This is the scenario playing out inside enterprises that invested heavily in authentication and assumed the job was done. The credential was real. The multi‑factor challenge was answered correctly. The system performed exactly as designed. It authenticated the user at the front door and never looked again. The breach didn’t bypass MFA—it started after MFA succeeded.

Authentication Limitation

Authentication proves identity at a single point in time. Then it goes blind. Everything that follows—the lateral movement, the privilege escalation, the quiet exfiltration through Active Directory—falls outside what MFA was ever designed to see.

CIO Insight

Alex Philips, CIO at NOV, identified the gap through operational testing:
“We found a gap in our ability to revoke legitimate identity session tokens at the resource level. Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement.” – VentureBeat

What Philips found wasn’t a misconfiguration. It was an architectural blind spot that exists in nearly every enterprise identity stack. Once a user authenticates successfully, the resulting session token carries that trust forward without reassessment. The token becomes a bearer credential—whoever holds it, attacker or employee, inherits every permission associated with the session.

NOV’s investigation confirmed that identity session token theft is the vector behind the most advanced attacks they track, driving the team to:

  • Tighten identity policies
  • Enforce conditional access
  • Build rapid token revocation from the ground up

Threat Landscape Stats

  • Average e‑crime breakout time dropped to 29 minutes in 2025; the fastest recorded breakout was 27 seconds (CrowdStrike 2026 Global Threat Report).
  • In 82 % of detections across 2025, no malware was deployed at all. Attackers don’t need exploits when they have session tokens.

Malware‑Free Attacks

“Adversaries have figured out that one of the fastest ways to gain access to an environment is to steal legitimate credentials or to use social engineering,”
Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike – VentureBeat

  • Stolen credentials trigger no alerts, match no signatures, and inherit whatever access the real user had.

AI‑Driven Social Engineering

MetricSourceGrowth
Vishing attacks (first vs. second half of 2024)CrowdStrike 2025 Global Threat Report+442 %
Deepfake fraud attempts (2024)Pindrop 2025 Voice Intelligence & Security Report+1,300 %
Face‑swap attacks (2023)Same report+704 %
AI‑generated phishing click‑through rate (2024)CrowdStrike 2025 Global Threat Report54 % (vs. 12 % for generic bulk phishing)

The threat isn’t that AI makes one attacker more dangerous; it’s that AI gives every attacker expert‑level social engineering at near‑zero marginal cost. The credential supply chain now operates at industrial scale.

IAM vs. SecOps Gap

By 2026, 30 % of enterprises will no longer consider face‑based identity verification and biometric authentication solutions reliable in isolation due to AI‑generated deepfakes (Gartner 2024).

“Anything that seems to have a cybersecurity flavor is generally put into the cybersecurity risk category, which is a complete fiction. They should be focused on business risks, because if it doesn’t affect the business, like a financial loss, then nobody’s going to pay attention to it, and they will not budget it appropriately, nor will they adequately put in controls to prevent it.”
Kayne McGladrey, IEEE Senior Member – VentureBeat

That logic explains why session governance, token lifecycle management, and cross‑domain identity correlation fall into a gap between IAM and SecOps. Nobody owns it because nobody has framed it as a business loss.

“You may only see pieces of the intrusion on the identity side, on the cloud side, and on the endpoint side. You need cross‑domain visibility because the best‑case scenario gives you about 29 minutes to stop these intrusions.” – Meyers, VentureBeat

Field CISO Perspective

“I don’t know you until I validate you. Until I know what it is and I know who is on the other side of the keyboard, I’m not going to communicate with it until they give me the ability to understand who it is.” – Mike Riemer, Ivanti Field CISO – VentureBeat

That question applies directly to post‑authentication sessions. If attackers use AI to fabricate the identity that clears MFA, defenders need AI watching what that identity does afterward. Riemer’s broader point is that placing the security perimeter at a single login event invites every attacker who clears that gate to have the run of the house.

Closing: NOV’s Response

NOV closed the gap. Most enterprises haven’t started.

“It gives us a forced security policy enforcement gateway. Users and attackers on a flat network can use stolen identity session tokens, but with zero‑trust gateways it forces conditional access and revalidation of trust.” – Nov statement (truncated)

All quotes and statistics are attributed to the original sources as cited in the text.

Philips on Identity Security

“We drastically reduced who can perform password or multi‑factor resets. No one person should be able to bypass these controls.” – Philips, VentureBeat

“Since with AI advances you can’t trust voice or video or even writing styles, you must have either preshared secrets or be able to validate a question only you and them would know.” – Philips, VentureBeat

What NOV Did

  • Shortened token lifetimes and built conditional‑access policies that require multiple conditions.
  • Enforced separation of duties so no single person or service account can reset a password, bypass MFA, or override conditional access.
  • Deployed AI against SIEM logs to spot incidents in near‑real‑time.
  • Brought in a startup to create rapid token revocation for the most critical resources.
  • Flagged a trust‑chain vulnerability: deep‑fake voice or text can compromise phone‑call or Slack‑DM verification channels.

Eight Things to Get Done This Week

NOV proved these gaps are closable. Here’s what to prioritize first.

  1. Pull the token‑lifetime report for every privileged account, service account, and API key.

    • Shorten interactive‑session tokens to hours, not days.
    • Put service‑account credentials on a defined rotation schedule.
    • Eliminate API keys with no expiration date.

  2. Run a session‑revocation drill under fire (not a password reset).

    • Time the kill.
    • If your team can’t revoke a live compromised session in under five minutes, an attacker sprinting at 27 seconds will exploit that gap first.
    • NOV built this capability from scratch after failing the drill.

  3. Map cross‑domain telemetry end‑to‑end.

    • A single analyst should correlate an identity anomaly in the directory service with a cloud‑control‑plane login and an endpoint behavioral flag without switching consoles.
    • If the workflow requires four dashboards and a Slack thread, a 29‑minute breakout will beat you every time.

  4. Extend conditional‑access enforcement past the front door.

    • Every privilege escalation and every sensitive‑resource request should trigger re‑validation.
    • Example: an identity authenticates from Houston and surfaces from Bucharest 20 minutes later → fire automatic step‑up authentication or session termination.

  5. Replace SMS and push‑based MFA with phishing‑resistant FIDO2 and passkey‑based authentication wherever feasible.

    • Each push notification an attacker can fatigue‑bomb is a session they can steal.
    • This remains the cheapest upgrade that closes the widest gap.

  6. Audit separation of duties on identity workflows.

    • If one person or one service account can reset credentials, approve privileged access, and bypass MFA, you have a single point of failure.
    • NOV eliminated that configuration.

  7. Establish an out‑of‑band incident‑verification protocol with preshared secrets.

    • If your team still confirms compromised accounts over a phone call or Slack message, deep‑fake voice and text can compromise that channel too.
    • Build the protocol before you need it.

  8. Create a dedicated budget line for identity‑layer governance.

    • Session governance, token‑lifecycle management, continuous identity verification, and standards like CAEP and the Shared Signals Framework need a single owner with a single budget.
    • If that owner does not exist, attackers already own the gap.

The Takeaway

Philips’s team went from discovering they couldn’t kill a compromised session to standing up rapid token revocation under real‑attack conditions. They:

  • Shortened token lifetimes.
  • Eliminated single‑person credential resets.
  • Deployed AI‑driven log analysis.
  • Built a dedicated revocation capability for critical resources.

The transformation took months, not years.

“Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement.” – Philips

The gap NOV closed exists inside nearly every enterprise that treats authentication as the finish line instead of the starting gun. The question for every CISO is whether they’ll find that gap on their own terms, or whether an attacker moving at 27 seconds will find it for them.

0 views
#MFA #multi-factor authentication #cybersecurity #identity security #lateral movement #Active Directory #privilege escalation #enterprise security
View source
Share:
Back to Blog

Related posts

Read more »