Most businesses, especially those in the Fortune 1000, use Microsoft’s Active Directory to manage trusted identities and access privileges across user bases. It’s a simple solution for single-sign-on access to the apps and devices employees need day in and day out, and simple is key when managing large and/or distributed teams.
Access management can get messy over time, especially when it doesn’t receive the daily attention it needs precisely because Active Directory makes it so simple to press the autopilot button. Top of mind when it comes to access management should be keeping tight control over trusted identities and preventing account takeovers (ATO) through a combination of policies and best practices.
But businesses of all sizes are underestimating the risk they face from ATO. Only 7% of security leaders cite ATO as a top risk, despite Symantec’s finding that 64% of cloud security incidents stem from unauthorized access. To address this problem, CISOs and IT security teams must get a better understanding of the threat, and they need a drop-in solution that makes a difficult problem easier to manage.
Understanding the ATO threat
Account takeover attacks succeed when threat actors obtain usernames and passwords for employee accounts that match their corporate logins. For example, if an employee’s social media account was protected by the same credentials as their Active Directory account, a data breach that exposes the social media login provides criminals with an all-access pass to corporate systems.
Organizations are at highest risk of account takeover in the months or years before a breach becomes public. When a breach occurs, threat actors contain the data within their private circle until it is fully monetized, starting with targeted attacks against high-value individuals. At this stage, account takeover attacks may be manual and include highly sophisticated techniques to bypass security features such as multi-factor authentication. After exhausting the data’s value over the course of about 18 to 24 months, the criminals finally allow the data to make its way to dark web forums and pastebin sites where it can be purchased for small sums. Even unsophisticated threat actors can then use “credential stuffing” tools to rapidly plug in username/password combinations on a multitude of websites to see if they work.
While the dangers of password reuse may seem obvious to security professionals, password reuse is a common practice that leaves many organizations vulnerable. In 2018, 24% of internet users whose data was recovered from the dark web had reused passwords. 90% of those reused passwords were exact matches.
Healthcare, higher education, government and insurance companies and their customers are just some of the confirmed victims of corporate account takeovers in 2019. Our own research shows that, just among Fortune 1000 companies, more than 18 million corporate credentials are exposed on the dark web, many of the passwords in plaintext, waiting to be abused.
Better password hygiene is an effective first step anyone can take to protect their accounts, their wallets and their employers from damage related to ATO. But there’s more that companies can be doing to not only prevent ATO, but also to gain a better view of internal vulnerabilities and risks presented by employees as well as partners, vendors and suppliers (they too can be exploited to gain entry into corporate systems).
First steps to risk reduction
Threat actors are increasingly targeting corporations, which house highly-valuable targets such as consumer data, financial records, and intellectual property.
For businesses with Active Directory, a single corporate account takeover can be a huge problem. Attackers who gain access to Active Directory accounts then also get a key to whatever enterprise data and systems to which their victim has privileged access.
IT security teams need to close off the entry point for attacks by making sure the emails and passwords in their Active Directory whitelists are uncompromised – and in fact, this is a central tenet of NIST’s updated guidelines for password security.
Identifying corporate exposures poses a challenge for IT teams, starting with how to obtain the data. Open-source data can provide some great information; however, it’s critical to keep in mind that criminals typically monetize stolen credentials within small communities for 18 to 24 months before allowing them to leak to public sources. By the time credentials appear on the deep and dark web where scanning and scraping tools can pick them up, the highest-risk attacks have already been completed and the data has become a commodity that anyone can access.
In contrast, breach data gathered through human intelligence – infiltrating criminal communities to gain access to stolen data long before the breach becomes public – carries a cost to acquire, but gives organizations a head start against criminal activities.
Operationalizing the data poses an additional challenge. Acquiring, validating, and normalizing breach data takes time, as does applying the data to your environment. Integrating automated password checks with Active Directory is a worthwhile strategy for quickly scaling the impact across a whole organization, particularly if remediation alerts are sent automatically whenever breached passwords are detected. This can make the process nearly hands-off for security teams, who can focus on other priorities with confidence that their investment in regular, automated password checks against known-to-be-breached passwords will save employees from ATO.
Protection from the outside in
Most people don’t know when their information has been compromised in a data breach; however, one exposed password might be the key that unlocks several of their online accounts. A growing challenge for corporate IT teams is actually protecting the personal account details of employees in their organization.
Earlier, I mentioned that 24% of internet users whose data was recovered from the dark web had reused passwords. That might not sound so bad at first, but the fact that we recovered 2.6 billion email/password combinations in 2018 means more than 600 million people whose data was exposed on the dark web had reused a password.
(In case you’re scrolling back up to do more math, the 90% that matched exactly represent some 560 million passwords protecting multiple accounts).
That volume of data makes it difficult to say how many of those passwords were reused across personal and corporate accounts, but the rate of reuse should be enough to concern any security professional who has only checked their employees’ corporate passwords against breach data (or none at all!).
We all know that employees bring their personal devices to work, they bring work onto their personal devices, and they access personal accounts while connected to corporate networks. A threat actor who gains access to a personal account will undoubtedly find data there about the victim’s employer and may choose to let their infiltration jump the work/life divide.
Employees need to be shown the risks of re-used passwords, and security teams should check existing and newly created passwords against breach data without an email address attached. This will help flag any employees who have reused a previously breached password, whether it was exposed in combination with their corporate email address or with a personal alias that could be tied to their identity.
This process can be automated from a third-party provider, and it would be wise to check all passwords any time there is a major breach.
Security in the supply chain
The tactics above can help security teams illuminate blind spots in their identity and access management strategies, but there’s still one major access point that criminals are increasingly targeting – the digital supply chain.
Motivated cybercriminals will identify the weakest piece of your overall perimeter to find a way in, and that can be a partner, vendor or supplier with weak security measures. There are many examples, but the most well-known is Target’s 2013 payment breach, wherein the thieves uploaded malware to point-of-sale systems after a successful ATO attack against an HVAC supplier led them into physical stores’ energy networks, to which payment systems were connected.
Yes, it’s convoluted. No, it’s not uncommon.
Businesses of all sizes have a vendor roster with varying access to customer data, corporate networks and even devices in your office. It can be difficult to approach vendors with questions about their security posture, but it’s important to collaborate on ATO prevention so that neither business loses data or faces the financial damage associated with a breach.
Depending on the solution you choose to check login credentials against known breach data, it’s worthwhile to share what you learn with vendors to help them secure their own accounts, recommend your tactics for exposure detection and remediation, or (especially if you handle lots of customer payment data and PII) even require that vendors prove their accounts are secure before signing or renewing contracts.
Companies today are still spending significant chunks of their overall cybersecurity dollars on perimeter security, but our research, Verizon’s Data Breach Investigations Report, Symantec’s recent data and countless other resources show that cybercriminals are walking through the front door with stolen login credentials. It’s easy for them to do, and it’s my hope that the advice in this column demonstrates that preventing ATO can be similarly easy and is critically important to the health of businesses of any size.