Losing sight of the biggest cause of security breaches isn’t surprising when there are often more column inches in the daily news devoted to state-sponsored hacking and cyber espionage. By comparison, attacks on businesses via compromised credentials – which is by far the easiest route for hackers – probably seem mundane. But it is the most popular method as highlighted by Crowdstrike’s 2022 Threat Hunting Report, which points out that malware-free activity accounts for a whopping 71% of all attacks.
Why credentials are easy pickings
Malicious actors know that traditional cyber defences cannot detect stolen credentials, and getting hold of them will give unchallenged access to an organisation’s network without raising any red flags. Unfortunately, criminals are well-practised at using a raft of underhand techniques to steal them. Favourite tactics include phishing attempts in social media, emails, and texts, or bombarding a user with fake push notifications to give up their log-in password or bypass MFA. Yet another high profile victim was The Guardian which made the headlines itself when it was hit by a ransomware attack in January and cited phishing as the likely cause.
Having captured valid credentials, attackers can then start pursuing the main objective, which is to elevate privileges to gain access to valuable or sensitive information, and potentially to install ransomware. The problem is that once inside the network the imposter looks like a legitimate user and can move around unnoticed.
Uncovering and stopping these seemingly invisible credential-based attacks before serious damage is done requires a different mindset from the belief that attacks can always be prevented. Instead, organisations need to take on board five key reality checks.
Five reality checks
Number one is accepting that getting hacked at some point is inevitable. It is how that incident is dealt with which will avert a disaster. One of the most troubling outcomes from the LAPSUS$ attacks in 2022 was that many businesses were left unaware at the time that they had been breached. Being able to spot an attacker quickly and take immediate action is vital.
The next step is to recognise that anyone could be a potential target and everyone is prone to making a mistake sometimes. Continuous training will help staff avoid risky behaviours such as clicking on links in phishing emails or social media, whoever they are from, whether that’s colleagues, customers, suppliers, or friends and family. But it won’t eliminate the problem entirely.
Another reality check is to acknowledge that adversaries are smart as well as persistent. Criminals will constantly refine their methods, find weaknesses, and work out new approaches. For example, in addition to using social media accounts like Facebook and LinkedIn to hack into personal email accounts, they also scan the internet for posts by disgruntled employees on sites such as Glassdoor. They then make direct approaches to these employees offering to pay for credentials and the ongoing authorisation of multi-factor authentication (MFA) prompts. So, organisations that think they have security covered because they deploy MFA, should think again.
Keep in mind too, that somewhere along the line every cyberattack will come down to credentials. After using them to gain access unobtrusively, the attacker will work out how to exploit misconfigurations, poor security practices, or unpatched software to gain administrative rights or higher privileges, until they reach what they are looking for.
Lastly, recognise that traditional SIEMs cannot quickly identify and pinpoint credential-based attacks. Security teams need to move away from wading through endless false positives and shift to solutions that can immediately distinguish between imposters and legitimate users.
Embracing a different approach
The fight back is being led by User and Entity Behaviour Analytics (UEBA) solutions which are replacing old SIEM platforms with an intelligent proactive approach. Using machine learning UEBA baselines normal behaviour for every user, device, and peer group. Creating a continuously evolving profile of what constitutes normal means that any anomalous behaviour is highlighted immediately. For example, characteristics of normal behaviour might include location, time, device, VPN use, and regular access to specific applications, and as soon as any of these factors are outside tolerances, the potential threat is escalated immediately. This ensures compromised credential use and breaches can be caught early by security teams and automatically shut down before they have a chance to cause serious damage.
Being prepared for the unknown
Traditionally, security professionals have counted on being prepared for known threats whether that’s by updating virus signature files, correlation rules, firewalls, allowlists, or patching software. They all aim to prevent bad things from happening in the first place. With threats constantly growing and changing, it isn’t realistic to depend on hard-pressed security teams to always stay one step ahead of malicious actors. By incorporating UEBA into security programs, organisations can equip themselves for the unknown and rely on their capability to disable attacks quickly regardless of how, when, and where user credentials were compromised.