Wednesday, December 22nd, 2021
How to protect against credential theft
Credentials are widely used as a security control to protect an organisation’s network infrastructure and information assets. As such, credential theft is typically part of the initial stage of a cyber-attack. Once cybercriminals have obtained valid credentials, they can often operate undetected throughout a network and dive deeper to uncover more sensitive or confidential data held by the organisation.
As we have seen from the ransomware attacks to date, compromised credentials can often lead to ransomware. Once attackers gain access to valid credentials, they then look to gain access to company networks and systems, including access to Active Directory. Once they gain access, threat actors can use the AD to exploit privileged user accounts and map out the organisation’s network. Access to privileged admin accounts can enable attackers to avoid detection and move laterally across the network to discover more high-value information assets to exfiltrate while infecting more machines with ransomware. Lateral movement is a technique used by cybercriminals to avoid detection and prolong their attack. The AD also has a group policy feature that helps administrators manage the domain-joined devices and users in the network. Attackers can exploit the AD’s group policy to deploy ransomware across the organisation’s AD connected devices and encrypt domain-joined systems. For example, the Lockbit ransomware 2.0 was distributed using Ransomware as a Service model.
There are various tools and techniques that cybercriminals use to attempt to steal login details and gain unauthorised access to accounts or systems, such as:
A trial-and-error technique that uses automated software to identify valid login credentials. This software will attempt to guess different combinations of usernames and passwords within a matter of seconds until it successfully “brute forces” its way into the user account. To date, brute force attacks have been known to work even with more complex passwords.
Unlike brute force attacks which focus on a single account, password spraying focus on the volume of targeted accounts. This attack is commonly dubbed the “low and slow” approach of hacking passwords. Cybercriminals would take commonly used passwords and try to access each account within the organisation. Attackers avoid getting account lockouts with this approach, as they first use one common password against many accounts before attempting to use a second password.
As we have seen this year, this social engineering attack is commonly email-based whereby cyber criminals attempt to trick users into directly providing their credentials. Cybercriminals would either impersonate a fellow colleague or a third-party vendor or service, in order to lure users into clicking on a malicious link. This link generally directs users into a login landing page where they are prompted to enter their login details. Even though the details entered may be correct, the user may receive an ‘error’ message which may prompt the user to re-enter credentials from another valid account.
Intercepting Internet Traffic
As a more technological technique to steal credentials, attackers can monitor internet data or packets through Wi-Fi networks. The cybercriminal essentially ‘sits’ between the user’s device and their Internet connection. They can then watch all the incoming and outgoing network traffic using an internet packet sniffer software program. Wi-Fi routers with weak passwords and the use of unencrypted internet connections (HTTP) are particularly vulnerable to this hack.
Compromised credentials can often be found on the dark web, which can be purchased by other threat actors to execute credential stuffing attacks. Cybercriminals can also use compromised credentials from a previous hack to attempt to break into accounts on other services. So, attackers simply input the stolen credentials for a particular account into various different services, in the hopes that the user has reused their password.
Keylogger attacks are generally carried out via malware stealthily installed on the user’s machine. This malicious software then simply monitors all of the user’s physical keystrokes. This means that the cybercriminal just needs to wait until the user types in their credentials.
It is important to identify credential theft attacks early in order to protect the organisation’s systems and data.
In order to mitigate and best protect the organisation from credential theft, we recommend the following:
- Define, implement and communicate a Password Policy. This policy should outline the password construction requirements, how passwords should be stored and the account lockout threshold. A well-defined Password Policy should state that all passwords be a minimum of 12 characters and include a combination of uppercase and lowercase letters, symbols and numbers and should be changed every 90 days at a minimum. For privileged user accounts, these requirements extend to a minimum of 16 characters.
- If available, the Active Directory (AD) password protection should be enabled. This eliminates ‘hackable’ or common passwords from being used within the organisation. The AD Administrator can also create a list of industry-specific or region-specific common passwords that cannot be used. This further eliminates attacks such as password spraying. Password spraying attacks can be detected early by being aware of these indicators:
- Cybercriminals using this technique typically do not have an up-to-date list of username credentials. They may have purchased a list on the dark web or simply guessing. As an indicator of this attack, you may see invalid usernames or usernames of past employees being used.
- As this attack focuses on the volume of accounts rather than speed, another indicator is a sudden spike in the number of failed login attempts in many accounts within a short period of time.
- A Privileged Access Management (PAM) solution can help manage and secure privileged users against brute force attacks. Privileged accounts are generally designated for special access and hold much greater capabilities than standard accounts, such as for administrative use in an organisation’s IT ecosystem. Typically, they are also more attractive to cyber threat actors due to the greater level of access they hold, which can mean an ease of access to far more sensitive information. PAM is essentially a comprehensive access security strategy which consists of organisational and technical controls in order to monitor and secure all privileged users and activities within the organisation’s IT environment.
- A password management tool, such as Keeper Security, can help enforce the organisation’s Password Policy and simplify password best practice as the user only need to remember 1 master password. It is also important to ensure that two-factor authentication (2FA) is used for accessing the password manager. 2FA adds another layer of security. This means a combination of two different authentication factors should be used:
- something you are (e.g. fingerprint)
- something you have (e.g. phone)
- something you know (e.g. PIN)
- Conducting attack simulations, such as a brute force or the “low and slow” attack, can help organisations assess how secure the organisation’s credential security controls are. This simulation can also help create the list of banned passwords which can be enforced through the Active Directory.
- Phishing simulations should be carried out on a regular basis to help assess how employees interact with potentially malicious or suspicious emails. The results of this simulation can help identify training needs. Those who fail the simulation can be given further phishing awareness training.
- Automated anti-phishing tools can also be implemented as a user-friendly process. For example, Smarttech247’s NoPhish platform. NoPhish enables users within an organisation to simply click on the NoPhish icon on their Microsoft Outlook. This immediately quarantines and sandboxes the email. Smarttech247’s security operations centre analysts then analyse the email. If the email is safe then it is returned to the user’s inbox. If not, Smarttech247’s analysts destroy the email and automatically update the organisation’s email security setting to prevent similar types of malicious email from bypassing the organisation’s email gateway. NoPhish uses artificial intelligence to extract data from emails and continuously improve the platform’s understanding of the email threats that organisations are currently facing.
- To mitigate against credential theft from cybercriminals intercepting internet traffic, organisations can implement Virtual Private Networks (VPN). A VPN ensures that your network connection remains secure and encrypted. It is also important to ensure that secure internet use is included in the organisation’s Acceptable Use Policy. For instance, outlining that users can only browse HTTPS encrypted sites or that they are not allowed to use unsecure public Wi-Fi.
Author: Mae Patlong, Information Security Consultant, Smarttech247