Author: Sue Poremba
As the 2022 Verizon Data Breach Investigations Report (DBIR) points out, credentials are one of the key paths into your infrastructure. Cyber criminals see credentials as a favorite data type to hijack because they can unlock all the doors, allowing criminals to move around your system undetected.
What is credential theft?
Credential theft is a cyber crime involving the information used to authenticate and authorize a user or identity, most commonly usernames and passwords. With stolen credentials, a threat actor has unfettered access to all the victim's account privileges.
How are credentials stolen?
One of the primary ways credentials are harvested is through phishing attacks. Sometimes the threat actor will use the credentials immediately. But just as often, they'll sit on the information and wait until the initial incident has passed, and then attack. Additional ways credentials may be stolen are via malware, vulnerabilities in security defenses, brute-force attacks or credential leaks.
What can an attacker do with credentials?
In a credentials-based attack, the threat actor can take steps to lock the victim out of the account, change passwords and set up multi-factor authentication (MFA), and manipulate data at will. Depending on what access the credentials offer, the cyber criminal may be able to get into any third-party accounts and services and move around an organization's infrastructure undetected. If someone reuses passwords and usernames across multiple accounts, the cyber criminal can gain access to those accounts as well.
There's also a large market for their resale, which means stolen credentials are an easy financial windfall for cyber criminals. This is why stolen credentials have increased by nearly 30% since 2017, making credential theft prevention a cyber security priority.
What is the impact of credential-based attacks?
According to the 2022 DBIR, stolen credentials are the most popular path into an organization, with 50% of all breaches involving this type of attack. Stolen credentials are a popular attack vector to launch ransomware attacks, and they're the primary cause of web application breaches.
Without solid credential theft prevention tools and policies in place, this type of attack puts the organization at risk in numerous ways. Stolen credentials can lead to fraud from account takeover, consumer identity theft, reputational damage and blackmail, to name a few types of crimes. It’s important to act quickly and determine your legal requirements following a breach. The following guidance from the Federal Trade Commission (FTC) can help.
How do third parties increase risk?
Threat actors don't always come directly into your company through an employee's compromised credentials. Credential-based attacks through the supply chain and third-party vendors are becoming increasingly popular.
The 2022 DBIR found that web applications are the most-targeted vector for credential-based attacks. Most companies connect with third-party vendors through remote or web-based access. While this improves productivity and efficiency for organizations, it also opens them up to new risks. Connecting remote devices from third-party sources introduces new opportunities for credential compromise.
If a third-party vendor is the victim of a credential-based attack and is connected to your organization's network, the threat actor could have access to your business infrastructure. This third-party vulnerability has already led to high-profile data breaches and ransomware attacks.
How can you prevent credential theft?
It's difficult to prevent credential-based attacks if you don't understand where your risks are. Do you know where the greatest vulnerabilities are? Do you have unmanaged identities that could act as gateways for credential-based attacks? Do you have policies in place that require unique passwords for each account?
Credential theft prevention is possible, and it begins with basic security best practices. The fewer access points available, the lower the risk of stolen-credential attacks. By deploying least privilege policies, where only those who require access for job functions have permissions, you decrease the number of identities with credentials. This is especially necessary for critical systems and data.
Are there software solutions for credential theft prevention?
Adding software that monitors behavioral patterns can also be useful. Threat actors using stolen credentials often strike at odd hours. If an employee who normally only logs in from 9 a.m. to 5 p.m. during the work week is suddenly accessing databases at 3 a.m., it's likely a sign of credential theft.
IT and security teams should also consider identity and access management tools that not only track user permissions and credentials but will also identify and close the loop on orphaned accounts. Still-active but unused accounts of former employees can lead to credential compromise because no one is paying attention to these credentials. Deactivating these unused accounts can help stop unauthorized access.
Finally, you should track traffic to your website and network to see where it's coming from and what they're doing.
What role do employees have?
Employees should be encouraged to be active participants in protecting their own credentials. That includes regular—or preferably required—use of multifactor authentication on all accounts accessed through the company network, including personal accounts. Biometrics, captcha or anything that requires human interaction should be used in addition to passwords (or preferably zero sign-on passwordless authentication). Employees should also receive regular security awareness training, especially on how to spot phishing accounts and policies around sharing passwords and other credentials.
Putting all of these prevention steps together won't necessarily completely stop credential theft, but it will help to lower the risk.
Learn more about how Verizon's Rapid Response Retainer can help you and your organization get ahead of cyber risk to responsibly and holistically secure data and systems to quickly contain a threat and recover from a breach.
The author of this content is a paid contributor for Verizon.