Get the insights and action you need to improve your security postureRead more
Credential theft isn’t a new concept to most people – but in the context of cybersecurity, it’s become increasingly prevalent over the last few years, as the findings of Dimension Data’s Executive Guide to the NTT Security 2019 Global Threat Intelligence Report indicate.
Credentials are the ‘keys to your kingdom’, protecting your organisation’s networks and data from unauthorised access. This makes stolen credentials a valuable target for threat actors.
Some 67% of all credential theft attacks are associated with phishing, which involves cybercriminals attempting to send recipients to a fake website – one that looks legitimate – via an email. The motive for this is to obtain user name and password combinations.
We’re seeing an increasing number of credential theft attacks targeting cloud platforms, as the graph below illustrates:
Figure 1: Four platform targets comprised almost 97% of all credential theft attacks in 2018
Microsoft Office 365 credential targeting accounted for 45% of all phishing attacks. This suggests that organisations are increasingly migrating to cloud-based platforms, driven by ongoing digital transformation across all industries and the recognition by businesses of the need to become more ‘digitally native’. However, by doing so, they’re exposing themselves to a number of new cyberthreats – credential theft being one.
Moving your systems (including email) beyond your traditional corporate boundaries means that the existing controls you have in place may no longer be sufficient. This potentially exposes your confidential information ─ from valuable business intelligence (intellectual property), to highly regulated data such as personally identifiable information, protected healthcare information, payment card information, and other sensitive data ─ to the risk of theft. So, all it takes is for someone to access those credentials and log in through the organisation’s ‘front door’. Attackers don’t need to look for vulnerabilities in websites or applications. If they successfully target individuals and steal their credentials, they can simply log onto the applications and gain entry into the organisation as a whole, to syphon off data and conduct other nefarious activities.
As the title of this article suggests, this is how organisations unwittingly ‘hand over the keys to their kingdoms’ (i.e. their data, applications, intellectual property, and access to their cloud infrastructure) to cybercriminals.
We believe that organisations need to be concerned about the growth of Microsoft Office 365 and the alarming increase in credential-based attacks.
While credential theft attempts via phishing accounted for double the number of those involving malware (33%), the latter shouldn’t be overlooked.
Malspam is an evolution of traditional malware, which now often incorporates capabilities designed to steal credentials. And that involves more than just installing keyloggers, which monitor the information that a user enters into a system. Today, malspam attacks are specifically targeting the credentials that users enter into online applications, such as Internet banking platforms and other password-protected sites.
NTT Security’s research conducted during 2018 shows that:
Figure 2: Sectors most targeted for credential theft phishing attacks
Figure 3: Sectors most targeted for credential theft malware attacks
Cybercriminals’ motives to launch credential theft attacks are generally threefold:
Access: The use of stolen credentials to gain access to resources and the underlying data; this may involve both short-term and persistent access.
Influence: This involves manipulating a person, or the impression of a person, brand, or product. It may include activities related to reputational damage, blackmail, and extortion.
Profit: Attackers use stolen credentials for fraudulent activities including:
Often, cybercriminals invoke a ‘pay-per-use’ model: those who’ve stolen credentials will charge other threat actors according to the volume of data they choose to access, over a specific period.
Cybercriminals are constantly refining their credential theft toolsets and tactics, and types of cyberattacks – both technical and non-technical.
What do we know about the frequency and duration of credential threat attacks? This generally depends on the attacker’s motive.
Some are quick: ‘Let’s infiltrate the organisation’s systems, steal the credentials we want, and get out fast’. Others are more prolonged where the attacker keeps a low profile, and steals and uses credentials in a limited way, to avoid detection and establish a longer-term foothold within the business.
As defenders against cybercrime, we need visibility of these activities to detect various kinds of attacks, regardless of the threat actor behind them.
If an organisation is only willing and/or able to invest a small percentage of their IT spend in combatting credential theft, they’ll likely only be able to prevent or detect issues such as hacktivist activity by some of the more minor cybercriminal groups. Larger and/or more high-profile organisations tend to increase the amount that they spend to guard against more calculating threat actors (e.g. nation-state groups).
Ultimately, an organisation’s current and desired cybermaturity profile regarding credential theft will depend on a variety of factors. These include the risk profile of the business, including compliance regulations relating to them, location, culture, competitors, and how much they’re prepared or able to invest in bolstering their cybersecurity defences.
Stolen credentials can have a severe, immediate impact on organisations. This often includes:
Longer-term impact may also include C-level executives being forced to resign, devaluation of stock prices, stalling of planned mergers and acquisitions, loss of intellectual property, and compliance penalties.