The Base of Cyber-Attacks: Credential Harvesting

November 8, 2018

Cyber attackers long ago figured out that the easiest way to gain access to sensitive data is by compromising an end user’s identity and credentials. According to the Verizon 2017 Data Breach Investigation Report, 81% of hacking-related breaches leverage either stolen, default, or weak credentials. Often these credentials belong to privileged users, providing cyber adversaries the “keys to the kingdom” and providing them a perfect camouflage for their data exfiltration efforts.

Betting on the human factor and attacking the weakest link in the cyber defense chain, credential harvesting has become the base of most cyber-attacks. Recent reports of a newly-detected Smoke Loader infection campaign and the re-emergence of Magecart-based cyber-attacks are perfect examples for this common tactic used by cyber criminals and state-sponsored attackers alike.

The term “hacker” has even become somewhat obsolete. Attackers no longer hack their way in against sophisticated technology, they log in using our own credentials. Once inside, they settle in and fan out, moving laterally to scan the network and hunt for privileged accounts and credentials. Then they elevate their privilege, extract your company’s most sensitive data and get out, covering their tracks so you may not know they were even there for months.

A recent Ponemon study found that the average amount of time required to identify a data breach is 197 days, and the average amount of time needed to contain a data breach once it is identified is 69 days.

While credential harvesting is widely used by attackers, what they do with the stolen information can vary greatly. In some cases, the credentials will be used for subsequent attacks where the goal is to gain access to systems or network resources, or they can be monetized by taking over bank accounts or simply selling the information on the Darknet.

4 Steps to Minimize Your Risk of Falling Victim to Privileged Access Abuse

So what steps can businesses take to minimize the risk of falling victim to these credential harvesting campaigns, and avoid privileged access abuse? Here are a few fundamental steps to take:

  1. Anti-Phishing Training: Educating users about the risk of phishing and the characteristics of these attacks is an essential first step.
  2. Discover and Vault: This step starts with discovering and registering all machines you operate in your environment, and then vaulting shared, alternate-admin, service accounts, and secrets, as well as establishing a secure admin environment. In addition, enforce session auditing and monitoring.
  3. Identity Consolidation with Least Access and Privilege: Reduce the attack surface by consolidating identities and eliminating local accounts as much as possible, then implementing both privilege elevation controls, as well as workflow for just-in-time privilege access. One of the lowest hanging fruits though is to implement basic Multi-factor Authentication (MFA) for all privileged users. Since MFA requires multiple methods for identification (something you know, something you have, and something you are), it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. Thus, it should be standard practice for all organizations, especially when it comes to protecting privilege.
  4. Harden Your Environment: The final step involves hardening the environment by air-gaping admin accounts like it is suggested by Microsoft’s Enhanced Security Administration Environment (ESAE) concept. To shut down any dangerous workarounds, employ machine learning-based command monitoring and alerts, using advanced behavioral analytics, and finally adding assurance level-3 MFA for your most sensitive environments.

None of this must be complicated and Centrify and our partners have years of experience putting together Privileged Access Management solutions in some of the world’s largest and most complex customer environments. Centrify Zero Trust Privilege helps customers grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, Centrify minimizes the attack surface, improves audit and compliance visibility, as well as reduces risk, complexity, and costs for the modern, hybrid enterprise.

Stealing a valid credential and using it to access a network is easier, less risky, and ultimately more efficient than using an existing vulnerability, even a zero-day. Cyber security defenses need to adapt to this fact. User education and beefing up an organization’s authentication systems are two essential steps that can minimize the risks associated with credential harvesting and subsequent cyber-attacks aimed at data exfiltration.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.