Today’s reality is that the majority of cyberattacks relate to credential theft in some guise. (See related article, “Board Members Should Care–a Lot–About Credentials Theft.”) This ranges from consumer-focused cybercrime that traditionally targets banking credentials, or business-oriented attacks that occur that in the middle of the attack lifecycle and try to gain and escalate stolen credentials required access to systems and data inside the compromised business.
Whilst there are daily updates on how attack methods are evolving, much less is said about the evolving tactics used to gain and leverage credentials. This is a critical gap, as credentials are being used more outside of businesses, so identifying and reducing the scope of what attackers can achieve needs to be addressed.
Using a point of trust – In recent years we have seen social media accounts with high volumes of followers compromised, leveraging the trust in these to target tens of thousands of users. The same concept is increasingly being used in the business space, where credentials stolen from a senior employee or executive can be used to influence both online and physical actions of more junior staff. I came across several examples where enough information was gathered through reconnaissance to ensure that when such trusted electronic demands were sent, the person whose credentials had been compromised was uncontactable, thus forcing the recipients to decide themselves, which is typically socially engineered to be time bound.
Technology is adding new layers of complexity – More businesses are seeing the value of cloud email and data storage services. Once credentials are taken, they can be used without touching the businesses network, which has traditionally been the bastion of their security controls. How would you validate if the correct user is leveraging these credentials in cloud services today?
Credential sprawl – Likewise, these same credentials can be used and cached in multiple devices and systems. Typically, multiple methods are used to gain access to the same business systems, whether they are apps, web interfaces or public clouds. Whilst users are correctly educated not to write down their passwords, cybercriminals’ ability to screengrab, keyboard log, and leverage underlying system or application vulnerabilities – whether that’s on a smartphone, tablet or PC, or in an internet cafe or cloud architecture – means the scope of where and how credentials must be digitally protected is growing.
For many users, it may seem easy to enforce policy around these credentials to minimize the risks, yet execs and senior staff often have the broadest access and are more likely to be targeted, either directly or through their support staff or, worse still, via friends and family that can gain access to systems or passwords. Likewise, it may seem obvious to enforce different passwords for differing systems, but with single sign-on tools aimed to simplify the user experience, and digital wallets/vaults becoming more popular, it’s important to consider which systems require more than just a single form of authentication, and how to apply and enforce this consistently across the technology-diverse user ecosystem.
What to Do?
If credential theft continues to be a core focus for the adversary, we need to extend the scope of where and how the credentials being used are protected, whether that’s from employees doing the wrong things or attackers looking for the least path of resistance to achieve their goal. While security professionals have years of experience protecting data and systems in their own networks, the most users today can effectively work outside the business-protected space, leveraging cloud services and portable devices.
Although layers of security can and could continue to be applied throughout these technology systems, the constant across them is the credentials used. The impact here is the access they give, and the implied trust that goes with communications from these accounts.
Given the current landscape, here are five key issues you should be thinking about today:
- How are you preventing credential theft attacks?
Within your existing processes, procedures and tools, what can be specifically implemented to manage credential theft? As an example, banks have commonly defined that they send users marketing information, but that they will not ask them for personal information or credentials via email. The same concepts can apply to businesses: do you have an escalation process to validate email requests if the person is not contactable, so there is always a point of human verification? Within the tools you use, what capabilities are there to spot credential theft? This could include specific anti-phishing capabilities through to…
- How do you identify and enforce the right level of validation against users to ensure they are who you think there are?
Visibility is at the core of all security strategies. Do you have a clear process to identify the information and accounts are that could be sensitive and to validate where and how users are leverage these? If they are outside the business, how do you implement the right policy controls? This may mean reducing or refusing access, or adding in additional authentication layers. How do you define and enforce this consistently, across the scope of connection methods being used, in a way that you can dynamically adapt to new requirements?
- Where do you apply these enforcement controls?
Considering the ongoing evolution and diversity of credentials use, how can you implement controls that can remain dynamic to changing requirements, such as the need to add in support for new apps, cloud resources and devices with minimal effort from an execution perspective. It may be for example you are using a Multifactor authentication solution, but what happens where there is a resource they don’t support. As user and their connection methods change how do you easily evolve the enforcement controls, are you doing it at the source connection point or at the end authentication/data use point or somewhere between the two?
- How do you spot credential misuse be that insider or attacker?
The goal is to prevent credentials being misused, whether that’s by attacker or by employees, yet you should have the ability to detect where instances occur quickly to marginalize impact. What processes and capabilities do you have to spot when misuse does happen? Can you identify the sudden change in connection location, and do you see the increase in activity or the change in activity profile? When you spot these, how easily is it for you to then segregate that account, either in its entirety or (better) at the points of access that would cause harm? What forensic data could you use to understand what has already occurred?
Security professionals have become more used to testing network resilience, by dealing with cyber breaches, but how frequently do you test to see what can be achieved with genuine credentials, when used from a non-business system outside your network? As you build out your visibility, you should start to consider what scenarios would have greatest impact, and would test your capabilities to identify, prevent and – where required – respond to credential misuse?
With its efficacy in facilitating access to myriad systems, credential theft is not going to go away soon, and will likely continue to grow as a way of facilitating attacks. By asking yourself these questions now, identify how you can understand where your organization may be vulnerable and how you can shore up your defenses without impacting users.