How credentials became an attacker’s easiest target
Article by Attivo Networks A/NZ regional director Jim Cook.
Credentials continue to be targeted by attackers.
This year, a Verizon study found credentials are the fastest type of organisational data for attackers to get their hands on, which explains the prevalence of phishing attacks that target credential theft every year.
According to the Verizon study, credential theft factored into some 60% of breaches. However, the success rate of abusing stolen credentials could be even higher; one US survey found attackers could access critical systems or data in 85% of privileged credential theft instances, which is staggering.
But despite everything known about how attackers carry out attacks, not enough is being done to educate employees and protect businesses from stolen credential misuse.
One of the reasons might be that user education and awareness training is not getting as much cut-through as previously thought.
According to the Australian Cyber Security Centre (ACSC), one in five small-to-medium businesses did not know the term ‘phishing’ in 2021, let alone understand the risks.
Best practice credential protection is not one layer of mitigations or actions. Organisations must instead take a layered approach to protection, and not every layer requires a large project or outlay.
Organisations can stand up some tools and capabilities in as little as an hour, providing visibility into key threats, credential exposures, and risks, making recommendations on how to make improvements.
Waking up to credential misuse
Credential protection, privilege escalation protection, and cloud entitlement management represent gaps in many organisations’ security environments. Many organisations have deployed systems to detect attackers at an endpoint.
However, there are limitations to traditional endpoint protection, which has led to gaps in protecting credentials themselves and the systems that manage the credentials from attack.
That shows up in the data; according to IBM, “breaches caused by stolen/compromised credentials took the longest number of days to identify (250) and contain (91) on average, for an average total of 341 days.”
As it becomes more apparent that credentials are among attackers’ most prized targets, there is a shift in defensive thinking.
A new category of identity security protections is emerging, defined as Identity Visibility and Identity Detection and Response – IDR), filling a significant gap in the enterprise identity protection landscape.
One way to think about it is that endpoint detection, and response (EDR) and its derivatives play a vital role in keeping attackers from getting into an organisation. Identity security keeps attackers from further infiltrating an organisation using exposed or compromised credentials- foiling their attempts to escalate privileges or access their targets.
Identity security starts from a position of protecting credentials based on where they are stored. In doing so, it provides several things for organisations.
First, it helps organisations find and remediate exposed credentials and attack paths, such as misconfigurations and exposures, before attackers can compromise them.
Second, it contains cloaking technology that allows organisations to hide real credentials from credential-stealing tools like Mimikatz. This function is not only powerful but also different from deception lures familiar to many organisations.
To avoid arousing suspicion, organisations also typically stand up decoy credentials or deception lures and artefacts to breadcrumb attackers back to a decoy where the organisation can observe them and gather additional threat intel.
Organisations may also want to look at protecting credentials stored in various locations on the endpoints. This function provides the option to apply different types of protections to different application-specific credential stores and becomes a way to block unauthorised access to them.
Another identity visibility function, cloud infrastructure entitlement or permissions management, helps organisations manage identities used to access cloud-based resources.
IDR solutions can also be invaluable because they provide live attack detection and misdirect attackers away from key identity assets such as Active Directory. They also misinform attackers by tricking their discovery tools with decoy results when attempting to conduct unauthorised queries of identity assets.
New tools for identity security work hand-in-hand to provide continuous visibility and immediate detection for threat actors attempting to steal or misuse credentials or simply detect exposures that may leave the door wide open for them.