Hacker behind virtual login screen showing credential-based attacks

Credentials Are the Best Chance To Catch the Adversary

The media and company executives are enamored with chasing nation-state adversaries and combatting sophisticated attacks. That’s one reason organizations have been expected to invest $7 billion in security services by the end of this year alone.

Nation-state attacks do exist, just look at the headlines, yet most data breaches are due to something far more prosaic: compromised credentials. Crowdstrike’s latest Threat Hunting Report revealed that malware-free activity accounts for 71% of all attacks. This shows an increase in the use of valid credentials to establish access and maintain persistence during attacks without being caught.

External attackers can buy, steal or hoodwink employees or partners into giving up credentials. A favorite vector is phishing, used in nearly 20% of attacks. Attackers can use social engineering and send urgent requests via email, text or other channels to persuade credential owners to click on links. Adding insult to injury, multi-factor authentication (MFA) fatigue attacks flood a user’s authentication app with push notifications in the hope they will accept, forcing users to give up their access even with proper controls are in place.

From there, attackers can use individual credentials to access organization networks or leverage credential stuffing attacks to try usernames and passwords on new services, relying on the fact that staff often reuse this information.

Here’s the hard truth: There is no defense against legitimate credentials. Humans are careless in managing these important access tools which is why errors and omissions are two driving factors behind why the human element is involved in 82% of attacks.

Waking up to the threats of credential-based attacks

So, what can chief information security officers (CISOs) and their teams do, as credential-based attacks increase?

  1. You are already a target: Attackers will target a wide array of individuals and use different strategies to gain credentials. For example, as the president of Exabeam, I’m relentlessly targeted. Attackers even used my brother, a journalist, to unintentionally launch a phishing attack against me. That’s why CISOs and their teams should continue to educate staff about cyberrisks, including phishing attacks. Phishing emails can seem quite sophisticated, seemingly coming from internal services, trusted colleagues or even family members. Workers need to be on guard for attacks as much in their personal lives as in their work lives.
  2. Realize that adversaries are creative: It used to be that attackers would batter the networks of their targets. Now, they may use LinkedIn and social media to identify your employees’ personal email accounts, hack them, and look for other credentials. External actors may also identify unhappy employees posting negative reviews on Glassdoor and offer to buy their credentials. Or these actors may just boldly call your employees out of the blue and offer to pay them for their login information and ongoing approval of multi-factor authentication (MFA) prompts. As a result, MFA is no longer a reliable tool in preventing attacks, as it can be easily gamed by malicious insiders.
  3. Understand that every attack involves credentials: Not every attack uses stolen credentials to gain initial access to networks, but every attack eventually involves credentials. After gaining access to networks, bad actors see who has privileged access. They then focus on gaining these higher-level credentials to unlock the keys to the kingdom: customer and financial data, intellectual property and more.
  4. Know that attackers will gain access to networks: Between nation-state actors, criminal gangs, computer-savvy teenagers and disgruntled insiders, the likelihood is that your network has already been penetrated. What you need now is to detect these attacks at speed to minimize their damage. Many organizations that were targeted by Lapsus$ didn’t even realize they’d been breached. That should be a wake-up call for the industry.
  5. Take a different approach to detect threats: The old way of detecting threats required security operations center (SOC) staff to use security incident and event management (SIEM) platforms to sift through an avalanche of alerts to find the few that mattered.

Those days are over, thankfully. More relevant and arguably leading platforms now use machine learning and user behavior analytics to baseline normal activities for every user, device and peer group. Then, the defender can automatically detect anomalous behaviors that indicate compromised accounts, regardless of what techniques the attackers have used to gain credentials. For example, are 20 failed login attempts in a few minutes potential evidence of a credential stuffing attack – or an indication that a legitimate user has forgotten login information? Using baseline data, the platform will generate a risk score for this incident in total, letting SOC teams know if they need to investigate further.

Focus on credentials to catch more bad actors

Security organizations are deploying new platforms and tools to detect intrusions, and that’s a good thing. After all, security teams need all the help they can to match the resources and advantages of their adversaries.

Yet, the risk remains that teams may look for the needle in the haystack, rather than the haystack itself. Credentials are everywhere, they are a demonstrated weak link in organizational security, and malicious actors have demonstrated that they prefer using them over other approaches.

As a result, credentials are both the best and the last chance to catch adversaries. Organizations need to use new strategies and next-generation SIEM platforms with UEBA to detect these attacks and minimize their harm.