Written by: Vikram Navali, Senior Technical Product Manager – Credentials are critical when it comes to controlling user access, securing an organization’s infrastructure, and safeguarding its assets. Compromised user credentials often serve as an unnoticed entry point into the network. A closer look at how attackers are stealing credentials using a wide range of techniques, tactics, and procedures (TTPs) helps protect the organization’s information assets and mitigate an attack’s impact.
People use different kinds of credentials every day, such as username, password, cloud credentials like access keys, secret keys, session cookies, and digital certificates on websites, etc. However, all of them are vulnerable. Attackers use modern techniques to steal and use these kinds of credentials targeting critical assets. As the number of attack vectors increases, credential theft started to be more common. According to Verizon’s Data Breach Investigations Report 2020, over 80% of hacking-related breaches involved brute force or lost or stolen credential use. This points out the need for security professionals to understand credential exposures and to protect an organization’s identity as part of a defensive strategy.
Examining several standard techniques attackers use to steal credentials can reveal how ready an organization’s cyber-hygiene practices are equipped to understand, detect and prevent credential-based attacks.
Phishing is a technique where attackers exert tremendous effort into making illegitimate emails and websites look nearly identical to an organization’s legitimate ones. They then embed these malicious website links in emails sent to hapless users to trick them into providing their usernames and passwords. In many cases, phishing leads to a ransomware attack when the user mistakenly downloads an attachment or clicks on a malicious link that downloads and executes malware onto the system.
Brute-force attacks attempt to guess valid passwords to gain unauthorized access to a network. Attackers systematically check every possible combination of passwords until they find the correct ones.
Password spray attacks attempt to access many accounts (usernames) with several commonly used passwords.
Once attackers compromise an endpoint through phishing, they can obtain username and password using credential dumping or brute-force techniques. They then use these credentials to access restricted information, move laterally, and install any other malware.
To combat this, Attivo Networks provide extensive visibility into in-network attack activity across any attack surfaces, whether on-premises, in the cloud, or at remote locations. The Endpoint Detection Net (EDN) suite’s ThreatStrike component provides comprehensive detection for credential-based attacks that evade traditional anti-virus and other perimeter defense. The EDN ThreatPath component can also reduce the attack surface by identifying paths that an attacker would use to reach their targets, as well as local and shadow admin accounts on the endpoint.
With the advent of cloud deployment, an organization’s IT resources are geographically distributed. Organizations must provide seamless and secure access to any server infrastructure that moves from on-premises to the cloud. This fundamental shift in the IT landscape to the cloud poses a security threat to an organization’s resources.
As per the State of DevSecOps – Summer 2020 report, researchers noticed that some emerging cloud practices are creating exposures. Despite the availability of popular tools such as HashiCorp Vault and the AWS Key Management Service (KMS), they found hardcoded private keys in 72% of deployments. Specifically, one in two cloud deployments had unprotected credentials stored in container configuration files. Unauthorized users could use these keys and credentials to gain access to sensitive cloud resources.
The Attivo ThreatDefend platform gives customers the ability to deny, detect, and derail advanced threats in AWS, Azure, Google Cloud, OpenStack, and Oracle Cloud deployments.
Attackers can also activate backdoors to gain remote access and steal credentials, such as in the recent SolarWinds attack, where suspected nation-state actors planted a backdoor in the software updates for the SolarWinds Orion platform. Attackers compromised credentials through on-premises network intelligence and moved laterally. They also compromised SAML token keys to access the organization’s cloud applications and critical assets.
Compromised user credentials often serve as an entry point into an organization’s network and its information assets. It is a misconception that applying security policies for password length and complexity requirements will do enough to protect cloud credentials. Cybercriminals use a variety of methods to steal credentials. Detecting attempts to steal or reuse cloud credentials can rapidly reduce exploitation time. Organizations can reduce their risk to cloud resources by deploying the EDN ThreatStrike solution and creating cloud baits such as deceptive logins, access keys on the endpoints.
For additional information, please visit https://attivonetworks.com/solutions/threat-detection/cloud/.