Combating cyber adversaries with credentials

While many of the biggest headlines on data breaches are focused on highly complex, nation-state attacks, most breaches are in fact caused by something far more commonplace: compromised credentials. According to Crowdstrike’s 2022 Threat Hunting Report, malware-free activity accounted for a staggering 71 per cent of all attacks.

The unfortunate truth is, traditional defences simply do not work against legitimate credentials. So, with compromised credentials now representing the most common initial cyberattack vector, it’s vital that organisations wake up to these threats and put measures in place to fight back.

How credential-based attacks work

Human weaknesses are ripe for exploitation by cyber adversaries looking to get their hands on valid credentials that will provide a springboard for getting hold of an organisation’s most valuable assets.

Today’s external attackers are adept at using social engineering techniques like phishing to trick employees into giving up their login credentials by clicking on links contained in emails, texts, or other media. They are also practised at perpetrating multi-factor authentication (MFA) fatigue attacks that flood a user’s authentication app with push notifications, until users relent and give up their access details. We saw this in both the Uber and Rockstar Games breaches.

Once in possession of authentic user credentials, external attackers can access networks as that user and perpetrate a credential stuffing attack, using automated tools to try out stolen usernames and passwords against multiple services and accounts. Because these credentials are those of a genuine, legitimate user, the majority of traditional defences are simply sidestepped.

Therefore, with credential-based attacks the weapon of choice for attackers, CISOs and their teams now need to rethink their security strategies with five key things in mind.

Five tips for combating credential-based attacks

The first step is to acknowledge that anyone and everyone in the organisation is a potential target. Therefore, continuously educating staff about the risks, including phishing attacks, needs to be a top priority. This includes ensuring that people understand that phishing emails can come from any source including internal services, trusted colleagues, as well as family and friends. Alongside alerting workers to work-related risks, educating people on how to be on the alert for phishing attacks will help keep them stay more secure in their personal lives too.

Next, security teams need to acknowledge that adversaries are highly creative and constantly adapt their approach. Alongside using platforms like LinkedIn and other social media to identify and hack the personal email accounts of employees, they keep an eye on sites like Glassdoor to identify unhappy employees they can approach to buy their credentials. Threat actors also not beyond making direct approaches to employees, offering to pay for their login information or the ongoing approval of MFA prompts.

Understanding that every cyberattack will involve credentials at some point is also crucial. Having gained the all-important initial access to networks, attackers will look to escalate their privileges in order to obtain access to sensitive customer and financial data as well as trade secrets.

Accepting that attackers will penetrate the organisation’s networks, no matter what, is another must-have mindset. One of the biggest cybersecurity lessons learned from the LAPSUS$ attacks in 2022 was that, even following a big attack, many businesses are left unaware they have been breached. With that in mind, CISOs and their teams will need to double down on detecting attacks at speed to minimise damage. Old-school methods of using security incident and event management (SIEM) platforms to sift through an avalanche of alerts are no longer adequate for detecting the adversaries that will inevitably get in. What’s needed is a new approach to threat detection that is capable of immediately identifying threat actors using legitimate credentials to gain access to corporate services or assets.

Leveraging compromised credentials to outsmart bad actors

The good news is that today’s leading detection systems leverage machine learning (ML) coupled with user and endpoint behaviour analytics (UEBA) to baseline normal behaviour for every user, device, and peer group. This means any anomalous behaviours that are indicative of a compromised account, regardless of an attacker's techniques, can be automatically detected and security teams alerted.

For example, in scenarios where 20 failed login attempts in a matter of minutes could equally indicate a credential stuffing attack, or simply a legitimate user who has genuinely forgotten their login information, modern UEBA platforms can instantly use the baseline data in their ML models to generate an appropriate risk score for that activity. It can then subsequently alert SOC teams if and when further investigation is needed, dependent on the other behaviour seen on that endpoint or by that user. This ensures compromised credential use, and ultimately potential incidents, can be automatically caught earlier in the attack chain - saving analysts hours of painstaking work trying to look for the right needle in a field of haystacks full of needles!

Traditionally, security measures relied on ‘knowing’ the threat before it hit. Whether that was virus signature files, correlation rules, firewall rules, or allow lists, they all worked to fend off the ‘known bad’. However, threat actors are constantly evolving, and relying solely on previously identified forms of attack can lead to a great fear of uncertainty around the unknown - essentially creating the ‘zero-day threat’ bogeyman that organisations have feared for the past 20 years.

However, by now understanding normal user behaviour and therefore gaining the ability to detect abnormal behaviour, security teams no longer need to continuously hard-code or update rules or signature files.

Similarly, dynamic frameworks such as MITRE look at the tactics and techniques attackers use, rather than the specific files executed or tools used. This gives organisations the ability to inform and update MITRE and vice versa, providing a complete, up-to-date overview of current attack methodologies and vectors, regardless of the specific malware/ransomware families or APT group.

With abnormal credential usage representing the best, and often only, chance to catch and stop adversaries in their tracks, organisations that utilise next-generation SIEM platforms in conjunction with modern UEBA will be those best equipped to quickly detect compromised credentials and nip credentials-enabled attacks in the bud before these cause significant damage.