How to Thwart an Attacker’s Attempt to Compromise Credentials and Move Around a Network
In the past year, we have seen numerous publicly traded corporations (Marriott and T-Mobile), airlines (Cathay Pacific and Delta), and tech companies (Facebook and Google+) all breached because of some type of insider threat or compromised credentials. So, it’s no surprise that insider threats and preventing credentials compromise are growing concerns for organizations.
While it’s impossible to guarantee the complete security of any organization, with the proper knowledge of how cybercriminals are breaking in, we can better arm ourselves with the right processes, tools, and policies to reduce risk and make it extremely difficult for attackers to get inside the network.
In this blog, let’s take a closer look at credential theft and discuss some of the top methods cybercriminals use to compromise credentials and laterally move inside the network, as well as tips organizations can use to reduce their risk.
Once a hacker has chosen their victim, they are looking for an opportunity to find the most efficient path to get inside the network. It could be a misconfiguration of SSH ports, a problem in anti-virus updates, or even weak security spots with any entity who works with the organization. Last year, hackers accessed 1.5 million healthcare records (including the Singapore prime minister) via compromised credentials. A subsequent investigation found weak passwords across the board, including one local administrator using the password “P@ssw0rd.”
Here are the top three ways credentials can be compromised:
- Reusing credentials: People often reuse their passwords both outside and inside the company to avoid having to remember multiple passwords. Once attackers get credentials from a breach, it’s only a matter of time before they use them to attack other targets using those credentials. Logins and passwords from breaches are openly sold in large batches and are in turn tested on a wide range of new targets.
- Using unsecured computers: Using an unsecured computer to log in and check emails or other personal information can result in credential theft.
- Using unsecured networks: People love free WiFi, and it’s everywhere – airports, restaurants, coffee shops, libraries, hospitals – but unfortunately so are attackers looking for prey. Users should be careful in choosing and sending sensitive information over a public WiFi network, as they can be subject to a man-in-the-middle attack and have their credentials compromised.
What happens after cybercriminals breach the network? Once cybercriminals are inside, they look for opportunities for lateral movement. They want to be able to more easily move around to get what they are looking for. They look for assets or accounts that can provide sensitive information or higher privileges. Preempt research finds most organizations (72 percent) have stealthy (shadow) administrators, while one in three networks have exposed passwords.
Here are five areas that cybercriminals focus on to gain lateral movement:
- Active Directory: Malicious actors can do a Password Brute Force to possibly gain access to user credentials
- Privileged Accounts: Privileged accounts that belong to IT teams are highly desirable for attackers as they can use that access to compromise the network.
- VIP Credentials: Attackers look for credentials that could gain them access to assets storing sensitive data (Executives, HR, Finance, Legal, Customers)
- Stale Accounts: Stale accounts that nobody is paying attention are easy targets.
- Password Hashes: Password Hashes that are stored locally can be exploited by attackers that could allow them to gain access to that local machines as well as many other machines if the same account is used on those other machines(which is common practice for IT teams).
What can an organization do to defend itself? As we have seen, cybercriminals are crafty. If you close the door, they’ll come in the window. If you close the window, they will try to come in through the chimney or a vent. It’s important for organizations to continually look for ways to reduce the risk of credential compromise.
What can you do to better defend your organization? Here are 8 tips:
- Utilize a modern approach to authentication: Implementing Conditional Access can ensure assets and sensitive resources can only be accessed by valid users and preempt threats in real-time based on identity, behavior, and risk
- Control online and physical access of Domain Controllers
- Keep track of and monitor the activities of Privileged Accounts
- Look for anomalies in user behavior
- Keep track of accounts for Employees leaving the company to reduce stale accounts
- Keep track of and monitor third party contractors’ accounts and privileges
- Implement complex password policies and regularly check for weak passwords (for an enterprise health assessment, try our powerful, free-to-use Preempt Lite)
- Security training and feedback to employees
To learn more about how you can thwart an attacker’s attempts to breach and move around a network, you can read Yaron Zinar’s blog on Disrupting the Cyber Kill Chain: How to Contain Use of Tools and Protocols. You can also take a look at Eran Cohen’s blog on living a healthy digital life to prevent personal credential compromise.
A version of this post previously appeared on the Preempt blog.
Posted by Heather Howland on April 18, 2019 2:56 AM