Stolen Credential Attack Threat Vector

What is a Stolen Credential Attack

Stolen credential attacks occur when an attacker gains access to the network, steals cached credentials from an endpoint they have infected and then uses those stolen credentials to mount persistent attacks. Attackers then spread laterally within the organization until they get access to the “crown jewels” they are after and exfiltrate their catch.

  • As threat actors move deeper into the network, their movements and methods become difficult to detect especially when they utilize Windows features and tools typically used by IT administrators. Once administrative privileges are gained, threat actors’ activities can go undetected and often become untraceable.
  • In order to move laterally within the breached network and remain persistent without being detected, attackers obtain information like network hierarchy, services used in the servers, and operating systems. Attackers also check the host naming conventions to easily identify which specific assets to target. They can utilize this information to map the network and acquire intelligence about their next move.
  • The next step is to gather login credentials. Attackers will use keyloggers, ARP spoofing and hooking tools, “Pass-the-Hash” and other methods to obtain credentials.
    • Hooking tools use hook functions related to password authentication
    • ARP spoofing tools sniff conversations between two or more systems in a network packet
    • Pwdump gets password hashes from the Windows registry
    • Other tools used are Windows Credential Editor (WCE), Mapiget, Lslsass, Gsecdump and CacheDump.
    • A technique called “pass-the-hash” uses a hash instead of a plaintext password in order to authenticate and gain higher access
    • Brute force attacks, which is simply guessing passwords through a predefined set of passwords
  • With their newly acquired credentials, threat actors can now move laterally within the network and widen their control. Administrators typically only check failed logins giving attackers time to remotely access desktops and gather domain credentials to log in systems, servers, and switches.
  • Since blacklisting and typical AV signature-based solutions won’t mitigate the risks of targeted attacks at this particular stage, enterprises need an advanced threat protection platform at this stage that can detect zero-day malware, malicious communications, and attacker behaviors that are invisible to standard security defenses. Many organizations have tried detection and monitoring and sandboxes and are now turning to deception-based detection to detect the use of stolen credentials and attacks inside the network that have bypassed other security systems.
  • The final step is exfiltration. To prevent data exfiltration, administrators will typically create strict IT controls for both physical and digital security. Such controls may include the use of data leak prevention (DLP) products to inspect and/or deny egress traffic from carrying unauthorized content beyond the perimeter of the enterprise and policies for role-based access control (RBAC), encryption, consumerization and password hardening.
  • Despite all of the efforts that administrators make, attackers are still able to find ways into organizations and steal company and employee information. The value of stolen information is rising as is the number of cyber attacks. For this reason, organizations are actively turning to deception-based threat detection solutions to help quickly know if and when attempts at lateral movement and exfiltration are occurring.

Attivo for Stolen Credential Attacks

  • The Attivo ThreatStrike Endpoint Solution provides a customizable and non intrusive technology that identifies targeted attacks to detect infected endpoints, infected servers/VMs, and stolen credentials
  • With Attivo, organizations will only receive positive alerts that identify infected devices that are attempting to use false credential bait that Attivo has planted to deceive attackers
  • Integration with SIEMs allows the ability for queries for failed attempts, logged based on the use of Attivo baited false credentials. Infected systems can then be identified for malware removal
  • Attivo threat intelligence gathered from these attacks, can also be used to update signatures on firewalls to shut down current and defend against further attacks

The Attivo ThreatStrike Endpoint Solution works in conjunction with the Attivo BOTsink Solution to provide an authentic, high-efficacy way for organizations to identify hacker attempts in real-time and to stop the attack before company information or employee credentials can be exfiltrated.