Beyond the Login: What CISA's Latest Recommendations Mean

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an urgent advisory urging U.S. organizations to harden their endpoint management systems. The guidance came in response to the Stryker attack, claimed by Handala, an Iranian-linked hacktivist group, which wiped thousands of corporate devices without a single piece of malware. The attacker had valid credentials, a live admin session, and access to tools the organization already trusted. That was enough.

This is the new shape of cyber attacks. And it exposes a hard truth the industry has been slow to confront: we’ve spent years securing the front door while leaving the rest of the house wide open.

1. The MFA Gap: Guarding the Login Isn’t Enough

The security industry has done a good job evangelizing multi-factor authentication (MFA). But not all MFA is equal, and attackers know it.

Standard push-based MFA can be bypassed in two well-documented ways.

• Session hijacking: once an attacker steals an active session cookie, MFA is no longer in the picture because they’re already authenticated.
• MFA fatigue: flood an admin with enough approval prompts and eventually they’ll tap “approve” just to make it stop.

Phishing-resistant MFA like passkeys closes these gaps. A passkey is hardware-bound, tied to a specific physical device. An attacker can’t phish it remotely or approve it on someone else’s behalf. CISA’s advisory specifically calls out phishing-resistant MFA as a priority, and the industry is moving in this direction. The question is how fast.

How Iru approaches this: Iru Identity is fully passwordless. We’ve also moved Iru logins for all customers, whether or not they use Iru Identity, to passkeys. This protects against both session hijacking and MFA fatigue by design.

2. The Session Is the New Password

Even with strong authentication at login, there’s a second vulnerability most security architectures ignore: what happens after the user is in.

Modern attacks increasingly follow a Living off the Land (LOTL) pattern, which is where the cybercriminal uses native, legitimate tools within the victim’s system to sustain and advance an attack. No malware, no suspicious files, no antivirus alerts. Just a legitimate admin account using legitimate tools to do legitimate-looking things. When the attack surface is a real admin session, traditional endpoint security is blind to it.

This is why identity verification can’t stop at the login page. High-risk actions like bulk changes, configuration modifications, and anything irreversible need their own identity checkpoint. The authentication model needs to move from the front door to the command level.

How Iru approaches this: Iru enforces strict session controls across all team member roles. Sessions expire after 24 hours regardless of activity, and any team member inactive for 60 minutes is automatically logged out. This limits the window a stolen session can be exploited and leaves no room for a bad actor to quietly persist in an account.

3. Least Privilege: Shrinking the Blast Radius

Even a fully authenticated, fully trusted admin session can become a catastrophic liability if that admin has more access than they need.

The principle of least privilege is straightforward: every role should carry only the minimum permissions required to do its job. An admin responsible for routine device management probably shouldn’t have the ability to wipe tens of thousands of devices in the first place. Scoping roles tightly means that if any one account is compromised, the damage is contained to what that role can actually do.

CISA specifically recommends using role-based access control (RBAC) to enforce this in endpoint management systems. It’s a foundational control that is frequently under-configured in practice.

How Iru approaches this: Iru makes it straightforward to scope access precisely to role, location, department, or any other attribute. Access is enforced automatically as attributes change, so permissions stay accurate without manual upkeep.

4. Verifying Where Actions Come From With Device Trust

Credentials can be stolen. Sessions can be hijacked. But a trusted device is much harder to fake.

Device trust means evaluating not just who is taking an action, but what device they’re taking it from. At its core, it asks: is this a known, enrolled device? Is it running an up-to-date OS with required security configurations? Is it connecting from a location and network that make sense? Is there anything about its current state that suggests it’s been compromised?

Device trust needs to be continuous rather than a one-time check. Every login is an opportunity to verify that nothing has changed since the last time that device was seen.

How Iru approaches this: Iru helps with device trust whether you use Iru Identity, Okta, or Intune. Iru Identity checks device posture in real time at every login.

Thinking Like a Threat Actor

CISA’s guidance is a useful checklist. But the deeper shift it points to is a change in mindset: security teams need to think the way attackers do.

Attackers look for the most trusted path in. They target the tools organizations rely on every day because those tools carry implicit trust. Compromise the tool, and the organization’s own infrastructure becomes the weapon.

Defending against that requires a layered approach:

• Phishing-resistant authentication at the login level
• Device trust to ensure actions are coming from known, verified endpoints
• Command-level verification for high-risk or irreversible actions
• Multi-admin approval so no single compromised account can cause catastrophic damage alone

No single control stops a determined attacker. But layered identity security, designed with the attacker’s playbook in mind, makes the path to catastrophic impact dramatically harder to walk.

Iru is built around the principle that identity security has to extend beyond the login. If you’re thinking about how to apply these layers in your own environment, we’d love to talk.