The Pandemic of Credential-based Cyberattacks

The first half of 2020 is barely in the history books, and it is safe to assume that most business leaders are eager to close this chapter. Globally, there remains plenty of concern about the overall health crisis, as well as the economic impact from the COVID-19 pandemic. Within this broader backdrop, cybersecurity leaders will need to step forward with conviction to protect one of the most essential elements of information security—the username and password (“credentials” for most InfoSec practitioners).

Indeed, while the world tries to get its footing during unprecedented changes, credential-based cyberattacks are on the rise as malicious actors have already adapted and taken a new foothold in our post-pandemic world. With the accelerating digital transformation underway, cloud technologies help to ease the abrupt transition to a remote-first business model, allowing workers to access mission-critical business applications and data. However, in truth, for many businesses, remote working and cloud access have also ushered in new cybersecurity exposures and operational disruptions.

DevOps Connect:DevSecOps @ RSAC 2022

It is important to remember that some cybersecurity exposures present themselves in the psychological arena. Malicious actors have capitalized on people’s fears related to the coronavirus, spreading conspiracy theories and other misinformation using the passwords and email accounts compromised online and belonging to groups working to fight COVID-19. The credentials belonged to users in the U.S. National Institutes of Health, the World Health Organization, the U.S. Centers for Disease Control and Prevention (CDC) and the Gates Foundation, among others. Unfortunately, cybercriminals know their Churchill quotes—“Never let a good crisis go to waste,” for one.

For business leaders, the ground is anything but stable and revolves around two distinct fronts. As sheltering at home continues, many wonder if remote work will continue indefinitely as our “new normal.” For other organizations, planning is underway for a return to traditional work environments such as office buildings and manufacturing plants. For most, it is actually a hybrid approach. IT and security teams are on high alert and stretched thin for this two-front war, hoping to detect and prevent attempted attacks by cybercriminals, who remain poised to take advantage of operational fluctuations and general uncertainties.

We see the evidence in a recent string of high-profile, credential-based cyberattacks on companies including Twitter, gaming giant Nintendo, passenger rail company Amtrak, domain registrar GoDaddy and even the U.S. Department of Justice (DoJ), all of which emphasize the inherent value that persists in the usernames and passwords we use. For the most part, individual hackers and hacker groups are after a payday; as a presumed member of one group shared, it’s “not too hard” to steal credentials from companies, and is an “easy way to make money.”

Verizon’s “2020 Data Breach Investigations Report” confirms the get-rich-quick scheme, citing a whopping 80% of breaches (that include hacking) are due to brute force or use of lost or stolen credentials. If bad actors are able to break into just one privileged account, it unlocks a treasure trove of sensitive data and allows lateral movements around the enterprise network. Just as a single COVID-19 case in a community can have devastating consequences for everybody, so too is the case with just one set of compromised credentials within any organization.

A web conferencing company also experienced a credential-stuffing attack when hackers attempted to exploit the company’s ubiquitous popularity for connecting from home during the COVID-19 pandemic. The hackers took advantage of users’ poor password habits such as not changing passwords after a breach on other websites, not instituting multi-factor authentication methods and reusing passwords on multiple websites. The stolen credentials were later sold for profit on the dark web.

When it comes to securing web conferences and other applications, users can secure access to associated accounts by logging on with an SSO/identity and access management (IAM) platform.

Credential-stuffing campaigns, among other cyberthreats, can easily translate to increased risk for enterprise companies, due to the likelihood that an employee is among impacted users. The cybercriminals could use a person’s corporate credentials to access that user’s more sensitive work-related accounts. The most seasoned and well-resourced security teams can easily become overwhelmed by the volume of organizational alerts they receive in a single day. Given that level of complexity and combining it with the inherent challenges of detecting credential-based attacks, since attackers are impersonating legitimate users, this creates an environment that is devoid of control and trust.

To protect the company against these types of attacks, IT organizations must shift the overall enterprise security strategy and give swift priority to the remediation of incidents that involve user credentials. A recommended approach is to closely monitor user behaviors, which provides the necessary visibility required to restore the broken trust and react in real-time to protect all user accounts. This includes the ability to detect using behavioral characteristics when malicious events have occurred.

Further reducing credential-stuffing risks means that organizations should also invest time to continue educating employees on good password hygiene and industry best practices. Some examples, in addition to what has already been shared, include using passphrases instead of passwords, observing proper web security by avoiding hyperlinks of unknown origin and not co-mingling business email accounts with personal email and correspondence.

Finally, companies should proactively evaluate and update network security capabilities to bolster protections for company data, especially now with a broadly distributed workforce that is working from home. There are many factors in these circumstances that introduce risks, including employees using sub-par security on home networks or sharing corporate devices with family members for other purposes, such as connecting to school or public Wi-Fi networks. These behaviors open the door to increased malware or phishing incidents or data exfiltration and privacy violations. Therefore, a security stack that includes behavioral analytics, data loss prevention and IAM is a strong start to better protecting all company information across any network.

World leaders are still finding their way to respond to the COVID-19 health pandemic and the associated economic turmoil. However, for cybersecurity leaders, the path is clearer. These aforementioned steps outline a known and proven playbook for responding to the rise in high-risk, credential-based cyberattacks.

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Grant McCormick

Grant McCormick is CIO at security management firm Exabeam and has vast experience leading high-growth companies’ technology programs. Prior to Exabeam, he served as CIO at Imperva, Sun Microsystems, MySQL Inc., Qualys and Verity.

grant-mccormick has 1 posts and counting.See all posts by grant-mccormick