EXECUTIVE SUMMARY:

More than 60% of cyber security breaches involve stolen credentials and  the consequences of credential theft can be overwhelming. A single set of compromised credentials can lead to network infiltration, ransomware attacks, lost intellectual property, third-party attacks and/or supply chain issues that result in real-world harm.

Remember the Colonial Pipeline incident? It occurred on account of a single stolen password obtained through the dark web.

Organizations aren’t implementing adequate security measures to prevent these kinds of attacks.

Curbing credential theft

The majority of enterprises deploy identity access management (IAM) and privileged access management (PAM) to authenticate user identities. However, these strategies alone aren’t enough. Organizations need to look beyond IAM and PAM to protect the underlying mechanisms that govern identification.

Of these, the most important is Active Directory (AD). Cyber adversaries leverage AD to locate privileged accounts, such as those belonging to domain admins with attractive access levels and usually aim to elevate privileges.

Cyber adversaries have created an array of ways to access and exploit AD; from Golden Ticket attacks to Windows Security Identifier (SID) history injection.

An AD compromise enables intruders to efficiently identify and commandeer a powerful account, such as a domain controller. Once this occurs, target organizations are in trouble. Adversaries then gain unfettered access to central systems and have the ability to obfuscate their tracks in order to maintain a stealthy, persistent presence.

Stepping up your strategy

Is your cyber security strategy prevention-first focused or more defense-first oriented? A defense-only, reactive approach isn’t enough to set your organization on a path to cyber security success. Implement as many layers of cyber security as possible and put your energy into prevention.

Credential theft check-list

These high-level recommendations can help you prevent and mitigate credential theft.

1. Identify high-value assets. Determine which assets are of the greatest import to the business, and prioritize security investments accordingly.
2. Engage in planning exercises. Closely examine how current infrastructure and assets are protected, and consider how to strategically mitigate relevant known and unknown attack types.
3. Investigate every incident. An incident that triggers cyber security detection mechanisms could indicate genuine compromise, or it could be a false positive. Regardless of your gut feeling about an event, investigate it, as that can help prevent similar future occurrences.
4. Apply security to core business systems. Cyber adversaries consistently exploit identities to access the beating heart of a network.
5. To deceive hackers, consider honeypots. Cyber criminals commonly rely on automated tools, such as Bloodhound, to find targets like AD. Criminals aren’t likely to suspect that their tools will fail or that they will be led astray.
6. Educate administrators about effective security best practices and common types of account and privilege-based attacks. Informing and training administrative staff reduces the likelihood of successful credential theft-based infiltration.
7. Remind employees to beware of shoulder surfing. This type of espionage can occur in any public location. It can also occur in an office setting, where an insider may wish to impersonate someone else.
8. Require that employees create strong passwords and use multi-factor authentication. Eighty percent of employees find password management difficult. Fifty-seven percent of the US workforce writes passwords down on sticky notes. A password manager may be helpful for employees.

In conclusion

A single silver bullet solution for credential theft prevention? It doesn’t exist. Take a layered approach – prevent credential theft by implementing a series of both human-focused and technological solutions.

Learn more about credential theft prevention and breach recovery via CyberTalk.org’s past coverage, available here and here.