Cybercriminals are growing more advanced. Many are well-funded, their tactics are increasingly cunning, and more and more of them use modern tools like AI to aid their efforts. So it might surprise many people to learn that one of the most successful tactics employed by cybercriminals remains credential theft. Too many organizations are leaving credentials exposed and easy for attackers to find—and once they fall into the hands of attackers, these credentials make it simple to escalate their attack and move freely throughout the network to find the most valuable data. Fortunately, many InfoSec teams have found that engaging in trickery like deception and concealment can stop credential theft in its tracks.
It’s impossible to overstate just how big the problem of credential theft is. The 2020 Verizon Data Breach Investigations Report (DBIR) indicated that a whopping 80% of hacking-related breaches involve either brute force or stolen credentials—including 77% of all cloud breaches. To make matters worse, a recent study conducted by Digital Shadows found 15 billion stolen credentials available for purchase on Dark Web marketplaces.
Security companies design common perimeter security tools like endpoint protection platforms (EPPs) and endpoint detection and response (EDR) solutions to prevent intruders from entering the network, not to detect credential theft or privilege escalation. EPPs are useful for detecting attackers demonstrating a known threat signature, while EDRs look for suspicious endpoint processes and other unusual activity signs. But once an attacker seeks to move laterally off an endpoint by finding (or stealing) a set of valid credentials, these tools can do very little to detect them—and if the victim lacks in-network protection, there is little to stop the intruder from escalating their attack.
Many recent, high-profile examples drive this point home, including the July 2020 Twitter hack. Attackers using stolen VPN credentials tricked Twitter employees into disclosing their account information through a fake VPN login page, and VPN issues were commonplace enough that the attackers easily fooled their victims into believing they were members of the IT department. Although the Twitter attack is just one example, it effectively highlights the increased danger of the current situation and the need for effective credential protections.
Since credential theft essentially gives attackers a free pass into the network, protecting those credentials is a high priority for today’s businesses. Fortunately, the cybersecurity industry has recognized the need for stronger in-network protections. Tools like deception and credential visibility technology have made it easier for organizations to find and secure exposed credentials before attackers can compromise them. Cybersecurity professionals can take three important steps to help ensure that their credentials stay out of the hands of attackers:
Knowing where potentially exposed credentials reside on the network is critical, as most organizations lack such a capability. Fortunately, there are tools available today that grant defenders additional visibility throughout their environment, helping them visualize potential threat paths and detect misused, orphaned, or otherwise at-risk credentials. Since cybercriminals will look to target these exposed credentials, understanding where they are on the network can help defenders anticipate where attackers may look to strike. These visibility tools can help identify misconfigured systems and other potential vulnerabilities that grant attackers access to the network. Security teams can then take steps to remediate these exposures, reducing the attack surface using the visibility tool’s native capabilities or through other means
Once the organization reduces the attack surface, it’s time to expand it again—this time with decoy credentials. Defenders can seed the network environment with false credentials that serve as lures, breadcrumbing attackers into a decoy environment that can effectively isolate them. Because the deception environment appears authentic, intruders will be unaware that they have attempted to use false credentials and continue carrying out their attacks. This activity provides defenders with the unique opportunity to not only safeguard their credentials, but gain valuable adversary intelligence that can help them improve their defenses in the future.
Attackers query AD to extract information, since the domain controllers will freely communicate to any member system by design. Suppose attackers are searching for AD credentials or other objects to give them access privileges to valuable data, or the ability to reset security policies so they can remain undetected. In that case, the best course of action for the security team is to hide these sensitive and critical objects so the attackers can’t action them, preventing them from extracting the accounts and information they need to progress their attacks. Modern solutions also hide local administrator accounts, since attackers will leverage them upon compromising an endpoint. By hiding these accounts, defenders ensure attackers can’t leverage them to compromise other systems. Meanwhile, the security team receives an alert for every unauthorized AD query or attempt to enumerate local administrator accounts, enabling them to respond quickly while also collecting threat intelligence on the TTPs the attackers are using.
One of the most effective ways to deter cybercriminals is to make their attacks more complicated, more expensive, and more time-consuming. Part of the reason stolen credentials are so attractive to attackers is that they represent a fast lane into the network, an easy way to bypass traditional security controls, and are often required to gain the privileges and access they need to conduct a wide-scale attack.
The one-two-three punch of identifying exposed credentials, deploying deceptive lures, and protecting Active Directory removes the ability for an attacker to move laterally through the network under the guise of a real employee. To make life hard for attackers, organizations should know three things: what credentials they need to protect, which ones are at risk, and how to hide and deny access to critical objects. Defenders with a firm grasp on that knowledge can not only help secure their credentials, but have fun letting attackers chase false ones.