Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Stressing Over Stolen and Abused User Credentials?

We live in a world where security operations professionals often find themselves fighting logs, not threats. They constantly worry that their organization’s defenses will be overrun and valuable data stolen or lost.

We live in a world where security operations professionals often find themselves fighting logs, not threats. They constantly worry that their organization’s defenses will be overrun and valuable data stolen or lost. In honor of Stress Awareness Month, we have an opportunity to reflect on ways to lower your operational burden, the chance of a breach and your stress levels by preventing the theft and abuse of valid user credentials.

Despite the attention attacks like zero day exploits receive, techniques such as these generally are not seen in the real world. Why? These tools are expensive and time-consuming to develop and deploy. When used, they are often deployed by highly sophisticated adversaries with ties to nation-states, cyber mercenaries for hire or other well-resourced attackers. These groups tend to reserve their more advanced attack methods for targets with the potential to yield a big payday or achieve a specific geopolitical goal, big enough to offset the cost of identifying a novel vulnerability exploit and essentially “burning” it by releasing it into the wild. Even for high-value targets, tried-and-true methods like phishing and stolen credential usage are more likely to occur because they are simple and effective.

Given this, most security professionals should focus their efforts on identifying and preventing attack methods, such as credential phishing. Phishing attacks seek to steal valid user credentials (i.e., username and password) from unsuspecting targets by tricking them into thinking they’re sending them to a legitimate source, such as logging into a fake version of a real service. But why would an attack method that’s been around since the late 1980s still be a threat today? To put it simply: because it works. Unit 42, the threat intelligence team at Palo Alto Networks, estimates that between 15 and 19 percent of phishing attacks succeed, even after an employee has received training on spotting and avoiding them. Fortunately, a three-pronged approach to cybersecurity – one that accounts for people, processes and technology – is a reliable way to block the majority of phishing attacks.

People

One of the easiest ways to cut down on credential-based attacks, including phishing, is education. Regular training sessions and real-time testing should be required of all staff. Even for relatively technology savvy companies, it’s important to take the time and explain methods like phishing, why it’s important to lookout for them, and practical ways to identify and flag potential phishing attempts for IT security staff. Never assume that everyone in your organization has the education to take the right action. This training can’t be a one-time event, and even quarterly is not enough. New employees are constantly joining, and current ones need regular, perhaps even weekly, testing to keep them updated on the latest tricks and techniques they may encounter. Training is also the ideal time to reinforce good credential habits with employees. Be sure to enforce a policy of changing their credentials every three months, as well as using different passwords for all their different apps and services.

Process

Credential-based attacks must be addressed from a process perspective as well. Some process-level questions that organizations should consider include:

• How do employees initiate the workflow to investigate potential phishing attempts?

Advertisement. Scroll to continue reading.

• If a data breach occurs on services used by employees in their personal time (possibly due to sharing passwords, which should be against policy), should company passwords be reset?

• Can you automatically block phishing websites or email?

• Is automation in place to block indicators of compromise (IoCs) extracted from investigations?

• How am I protecting sensitive resources if attackers gain access to legitimate credentials?

Remember, the best way to orchestrate the prevention of credential-based attacks is through an informed policy driving the right processes.

Technology

Much of the work involved in identifying and mitigating the theft or use of stolen credentials can be automated if you’re using the right technology on the right security platform. There are three essential use cases that automated platforms can solve for:

• Automatically identify and prevent employees from visiting credential phishing sites. This approach must be powered by threat intelligence informed by a global network of sensors with the analytics to identify new malicious sites, blocking them without human intervention.

• Look for the leakage of password-based credentials to unknown sites, which may not be categorized as phishing at the time. When identified, the platform must be able to block the user from transmitting credentials to these non-approved locations.

• Use policy-based multi-factor authentication enforced at the network level to protect critical applications and stop attackers from using stolen credentials to conduct lateral movement within the network.

Training your people to be aware of credential-based attacks and how to avoid them, as well as adopting the right prevention-based measures, can have a material impact on stopping one of the most common and effective attack techniques. Even better, it’ll keep your stress levels down by giving you the peace of mind that comes from knowing you no longer have to worry about finding and resolving every attack manually.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...