Credential theft has been on the rise in recent years; more than 80% of hacks are the result of credential theft (most of it coming from successful phishing attempts), according to the 2020 “Verizon Data Breach Investigations Report.” This number could increase in next year’s report, thanks to an increase in remote work and the number of scams surrounding COVID-19.
What makes credential theft so hard to detect is that it looks like legitimate access. There are no vulnerabilities or flaws for the hacker to exploit; they have all the information they need to enter the system. This makes it extremely difficult to distinguish between hackers and legitimate insiders, according to a recent study from Positive Technologies. Another issue is that it now becomes more difficult to determine an insider threat from an outside threat.
The report also found that getting credentials isn’t that difficult. At 61% of the companies, pentesters found at least one simple way to obtain control of infrastructure that would have been feasible even for a low-skilled hacker. Also, the report found:
“[E]xperts noted that legitimate actions that would be unrecognizable from regular user activity accounted for 47 percent (sic) of the actions that allowed pentesters to create an attack vector. These actions included creating new privileged users on network hosts, creating a memory dump of lsass.exe, exporting registry hives, and sending requests to the domain controller. These actions allow hackers to obtain credentials from corporate network users or information required to develop the attack. The risk is that it is hard to differentiate between such actions and the usual activities of users and administrators, making it more likely that the attack will remain unnoticed.”
The Rise of Credential Theft
Although credential theft isn’t new, hackers are turning to it more frequently. That’s because cybercriminals’ interests in stealing accounts has grown dramatically, Ekaterina Kilyusheva, head of the Information Security Analytics Research Group at Positive Technologies, pointed out in an email interview that coronavirus has helped their efforts.
“During the pandemic and the transition to remote work, many companies brought additional services to the perimeter, and hackers have new potential points of entry into their networks,” Kilyusheva said.
And we make it easy for them to gain these points of entry. “Many users reuse their passwords, which means that having received the user’s password to access any service, hackers can try to use the same password to hack another service or to connect to the resources of the corporate network,” she added.
In fact, according to a Harris/Google poll, users continue to practice poor password hygiene, with more than half of users repeating their password over multiple accounts and few of us change our password even when notified of a data breach. People also share passwords loosely, again without changing them after the relationship (whether work or personal) ends. This makes it even easier for hackers to get in.
Finding the Legitimate Threat
But as mentioned earlier, with credential theft, it is difficult to tell the insiders from the outsiders and differentiating them is often a difficult task for the internal security team.
“The problem arises because, during an attack, a criminal can use legitimate tools to connect to endpoints and execute commands—the same tools that administrators use in their work,” Kilyusheva noted. “A large number of operations that provide additional information about the system or allow criminals to develop an attack can be performed using functions built into the OS. In addition, a hacker can compromise a user or administrator account and perform actions on behalf of those users without attracting attention.”
To distinguish a legitimate action from an attack step, she said, you need to understand exactly what is happening in the infrastructure, with careful monitoring of endpoint security events and analysis of network traffic. Each event must be considered in conjunction with other events on the network.
“Determining if the threat is coming from outside or inside the company will help a detailed incident investigation, in which it is necessary to involve experienced experts,” Kilyusheva said. “Security professionals will be able to reconstruct the attack chain and understand what caused it.”