Why It Matters?
A common technique during a data breach is to use stolen credentials, including SSH keys, to find areas where an attacker can elevate their privileges. This is done to obtain access to compute resources to establish a command and control (C2) channel, execute malicious actions such as lateral movement, or deploy malware or back doors.
What Exactly Does This Policy Do?
This policy helps contain an attack and persistent threats by enforcing an MFA prompt for privileged users before they are allowed to connect to production Linux servers. This requirement ensures that users must prove their identity, helping to prevent unauthorized access and reduce the risk of compromise from stolen credentials.
