Stolen credentials provide cybercriminals with both an entry point into your network and a way to move through your network undetected. While the cyber threat landscape is more diverse in terms of tactics and techniques than ever, the aftermath of many data breach and ransomware incidents ends up tracing either their origin or their escalation to the use of stolen credentials.
The shift to hybrid work arrangements further accelerated credential theft as a cyber threat with hackers seeking to compromise logins for VPNs, cloud services, and other remote work infrastructure. This article offers a three-step plan for getting the fundamentals in place to prevent credential theft and keep your most valuable digital assets protected.
Step 1: Employee Training and Awareness
Many credential theft attacks directly target employees because these methods of stealing passwords don’t require much in the way of technical prowess from a hacker’s perspective. The relatively primitive nature of tactics like social engineering or brute force password guessing belies the fact that they are often very effective ways of compromising credentials.
One report from 2021 found that phishing attacks alone cost large organizations $15 million per year on average. Similarly, with the top three most commonly used passwords being 123456, 123456789, and qwerty, it’s clear to see why threat actors still employ trial and error methods of guessing passwords.
Underpinning the effectiveness of employee-focused credential theft attacks is a persistent lack of effective cybersecurity training and awareness covering two key areas.
1. Social Engineering
Social engineering tactics manipulate or dupe victims into giving away their login credentials to business apps and services. Phishing emails that lead unsuspecting employees to malicious URLs are a commonly used social engineering tactic to steal passwords. These emails seem to come from legitimate sources to the untrained eye.
Hackers have introduced more sophistication into phishing campaigns by leveraging personal information about targets, much of which is accessible on social media or social networking platforms. These so-called spear phishing attacks are harder to spot, but not impossible.
Effective training and awareness makes a big difference in preventing credential theft through social engineering. Training modules must comprehensively cover different types of social engineering attacks and ideally use examples and stories that resonate with different business departments/specialties. Ongoing awareness should leverage methods like monthly newsletters, fliers dotted around the office, and re-taking training at sensible intervals. For even better results, incorporate simulated training exercises so that employees improve their social engineering detection capabilities in the kind of unexpected scenarios they’ll encounter with genuine attacks.
2. Good Password Hygiene
In a sophisticated threat landscape, it’s easy to disregard the importance of good password hygiene. Despite having an armory of highly technical tools and in-depth knowledge at their disposal, cracking weak passwords provides an easy entry point into your networks. These weak passwords are the path of least resistance, so it makes sense to target them.
Education on improved password hygiene should cover the following points:
- Warn employees about the danger of re-using passwords across different apps and services and dissuade the use of this practice.
- Encourage complex passwords that use at least 8 characters, combining upper case, lower case, numbers, and symbols.
- To help avoid password fatigue or productivity impacts from employees forgetting complex passwords and needing to reset them, instruct employees to use password managers for securely storing and seamlessly using a repository of their various passwords.
From a business perspective, exercise good password hygiene by setting up multifactor authentication (MFA), particularly for privileged or admin users. By using MFA, employees need to provide an extra category of evidence proving their identity before they can log in to a system. MFA ensures that even a brute force attack that guesses and steals the correct password doesn’t grant access to the system that the password protects.
Step 2: Advanced Email Security Solutions
While improved training and awareness notably reduces employee susceptibility to common credential theft attacks, it doesn’t effectively prevent every threat. Highly sophisticated social engineering scams like whaling or CEO fraud can create such a convincing context that even trained security professionals might be tempted to click an untrusted link and disclose sensitive information.
In these more advanced cases, advanced email security solutions can assist in preventing credential theft. When employees get directed to a fake login page, anti-phishing solutions leverage deep learning algorithms and computer vision to spot deviations from the authentic login page. Other advanced solutions for email security include next-generation firewalls, which can provide granular control over the specific URLs that employees can submit their credentials to.
Step 3: Honeypots and Other Decoys
The steps discussed so far focus on the boundary between the external world and your network, but what about threat actors stealing credentials while inside the network? Commonly, this credential stealing uses malware, trojans, or PowerShell scripts to obtain valid credentials, and it’s not just limited to passwords. Threat actors then move laterally or escalate privileges, and the dreaded outcome is often exfiltration of sensitive customer data or encrypting every device on your network with ransomware.
A particularly prevalent internal threat is compromising password hashes and session tickets rather than the plaintext password itself. Active Directory is a highly-prized target because this infrastructure controls access to other critical systems, apps, and services.
Honeypots are an excellent tool that let you set up decoy systems or servers to draw attackers into them. Honeypots look like and are named similar to legitimate systems, but they don’t provide attackers with access to anything. By setting up honeypots and monitoring them, you can both draw hackers away from your legitimate systems and prevent genuine credential theft. You achieve all of this while gleaning a better understanding of what password compromise techniques are being used by threat actors inside your network.
Taking honeypots to another level, also consider the use of honey-hashes and honey-tokens. The idea behind these decoys is to place them in the same locations as legitimate credentials. Since no real user will ever try to authenticate or interact with these fake credentials, their use represents an immediate red flag indicating an in-progress credential theft operation. You can then react on time and shut down the system/server or take other actions to remediate the threat.
Don’t Neglect Your Digital Footprint
These three steps put your business in a much better place to prevent credential theft. However, with literally billions of stolen credentials on the deep web, dark web, and clear web from previous data breaches, there is a strong possibility that working credentials belonging to someone in your organization are available for threat actors to reuse for malicious purposes.
With no solution for monitoring their external digital footprint in place, businesses often remain unaware of stolen credentials until it’s too late. Flare’s platform continuously scans all corners of the Internet for exposed credentials and prioritizes alerts so you can take action in real-time. This detection speed helps to mitigate threats from stolen credentials before their theft turns into breaches or other serious cybersecurity incidents.
Using Flare to scan for password dumps and mentions of your company email or domain, you can rapidly reset accounts for any affected users or take other actions that render any stolen credentials useless.