Credential theft is one of the most common methods cyber criminals use to successfully breach and manoeuvre within a business to steal valuable assets. Here's how to protect yourself and your business.
Stealing credentials is the oldest game in the book and it’s still one of the most effective for cyber criminals. Most breaches involve password theft at some stage of the attack life cycle.
According to the 2016 Verizon Data Breach Incident Report, nearly two-thirds of the breaches analysed were, in some part, the result of stolen credentials. It is easy, fast and effective, making it one of the prevalent tools for attacks against organisations and individuals.
Traditional approaches to stop credential phishing tend to focus on having security researchers build catalogues of bad sites. This tends to focus the problem on the attacks used against individuals, where phishing attempts are sent en masse, making it relatively easy to spot them.
The techniques used to exploit organisations are far more targeted and sophisticated, which make it more difficult for security teams to encounter the sample before the user does.
If a business’ security products do not have any information on a new phishing site, the only recourse is hoping that end user training is enough to prevent the user from entering their credentials.
User awareness is necessary training but imperfect protection for users can make mistakes, and the sites are well crafted and disguised, making it extremely difficult to identify the deception.
Here are five lessons to learn when it comes to credential theft:
1. Nearly every breach uses stolen credentials. According the 2016 Verizon Data Breach Incident Report, 63 per cent of breaches have used stolen credential, and it mentions that the chances of success are 90 per cent with as little as 10 emails.
With such a small number of emails sent to a targeted attack, it becomes very challenging for security researchers to get a hold of a sample before the user clicks the link.
2. General purpose phishing is not targeted phishing. Attacks against consumers aim to gain access to individual bank accounts, and thus there isn’t much discretion on who the victim is. Any victim will do, so the attacker casts a wide net.
In a targeted attack, the attackers who are out to breach an organisation are using more discretion to avoid detection and more sophistication than what’s commonly seen in consumer phishing.
3. Attackers use stolen credentials to access and roam the network, often stealing additional credentials, to finally get to the network resources they are interested in. The process of lateral movement is much easier to accomplish if the attacker appears to be a valid user rather than an intruder, and their activities will not necessarily draw attention from the security team.
This gives the attacker greater chances of success because the risk of getting caught before achieving their goals goes down.
4. It’s hard to stop phishing by just detection and blocking. That’s because that users are allowed to access any site not known to be bad. This means that both trusted sites and net new phishing sites (that have not been catalogued) are treated the same and accessible to users.
Filtering done at the email gateway designed to detect and block are also being circumvented, as attackers are finding new ways to deliver a phishing link using direct messaging through social media or sending the link via SMS, thus entirely skipping the mail gateway.
5. Passwords are still a security problem because organisations struggle to implement replacements. The technologies used to implement secondary authentication factors are often difficult to deploy across all the applications the organisation uses, creating practical limits on how many applications that can be secured.
As a result, passwords remain in common use and thus provide a steady supply of credentials that can be stolen for breaching the organisation.
Businesses should look to implement security technology that can automatically identify and block phishing sites, to prevent users from submitting credentials to phishing sites and to prevent the use of stolen credentials.
Despite the problem being well-known, businesses are still struggling to prevent credential theft and abuse. It’s important for organisations to get on top of this to avoid losing valuable company information, which could seriously jeopardise company operations.
Businesses need to realise the risk of credential theft is changing, and that the attacks combine phases of theft as well as abuse of the stolen credential.
The lethal nature of the targeted attack comes from the lack of co-ordination to stop both sides of the problem, and that organisations must find ways to build prevention across the attack methodology in order to build better defence against these types of threats.
Brian Tokuyoshi is a senior solutions analyst at Palo Alto Networks.