SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Cybersecurity
#
Micro-Credentials
#
Attivo Networks
How credentials became an attacker’s easiest target
Wed, 10th Nov 2021
FYI, this story is more than a year old
By Jim Cook, ANZ Regional Director, Attivo Networks
Follow us

Credentials continue to be targeted by attackers.

This year, a Verizon study found credentials are the fastest type of organisational data for attackers to get their hands on, which explains the prevalence of phishing attacks that target credential theft every year.

According to the Verizon study, credential theft factored into some 60% of breaches. However, the success rate of abusing stolen credentials could be even higher; one US survey found attackers could access critical systems or data in 85% of privileged credential theft instances, which is staggering.

But despite everything known about how attackers carry out attacks, not enough is being done to educate employees and protect businesses from stolen credential misuse.

One of the reasons might be that user education and awareness training is not getting as much cut-through as previously thought.

According to the Australian Cyber Security Centre (ACSC), one in five small-to-medium businesses did not know the term ‘phishing' in 2021, let alone understand the risks.

Best practice credential protection is not one layer of mitigations or actions. Organisations must instead take a layered approach to protection, and not every layer requires a large project or outlay.

Organisations can stand up some tools and capabilities in as little as an hour, providing visibility into key threats, credential exposures, and risks, making recommendations on how to make improvements.

Waking up to credential misuse

Credential protection, privilege escalation protection, and cloud entitlement management represent gaps in many organisations' security environments. Many organisations have deployed systems to detect attackers at an endpoint.

However, there are limitations to traditional endpoint protection, which has led to gaps in protecting credentials themselves and the systems that manage the credentials from attack.

That shows up in the data; according to IBM, “breaches caused by stolen/compromised credentials took the longest number of days to identify (250) and contain (91) on average, for an average total of 341 days.

As it becomes more apparent that credentials are among attackers' most prized targets, there is a shift in defensive thinking.

A new category of identity security protections is emerging, defined as Identity Visibility and Identity Detection and Response – IDR), filling a significant gap in the enterprise identity protection landscape.

One way to think about it is that endpoint detection, and response (EDR) and its derivatives play a vital role in keeping attackers from getting into an organisation. Identity security keeps attackers from further infiltrating an organisation using exposed or compromised credentials- foiling their attempts to escalate privileges or access their targets.

Identity security starts from a position of protecting credentials based on where they are stored. In doing so, it provides several things for organisations.

First, it helps organisations find and remediate exposed credentials and attack paths, such as misconfigurations and exposures, before attackers can compromise them.

Second, it contains cloaking technology that allows organisations to hide real credentials from credential-stealing tools like Mimikatz. This function is not only powerful but also different from deception lures familiar to many organisations.

To avoid arousing suspicion, organisations also typically stand up decoy credentials or deception lures and artefacts to breadcrumb attackers back to a decoy where the organisation can observe them and gather additional threat intel.

Organisations may also want to look at protecting credentials stored in various locations on the endpoints. This function provides the option to apply different types of protections to different application-specific credential stores and becomes a way to block unauthorised access to them.

Another identity visibility function, cloud infrastructure entitlement or permissions management, helps organisations manage identities used to access cloud-based resources.

IDR solutions can also be invaluable because they provide live attack detection and misdirect attackers away from key identity assets such as Active Directory. They also misinform attackers by tricking their discovery tools with decoy results when attempting to conduct unauthorised queries of identity assets.

New tools for identity security work hand-in-hand to provide continuous visibility and immediate detection for threat actors attempting to steal or misuse credentials or simply detect exposures that may leave the door wide open for them.

Related stories
Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs
GitHub's 2FA initiative helps secure software supply chain
Jason Haddix joins Flare as Field Chief Information Security Officer
AI tools linked to data exposure in 1 in 5 UK organisations
Trend Micro introduces AI-driven cyber risk management features
Top stories
Australian businesses fast-track Microsoft cloud adoption amid cyber threats
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity