Credential theft: ‘handing over the keys to your kingdom’

Cybercriminals target data, applications, and cloud infrastructure, making credential asset management a priority

Credential theft isn’t a new concept to most people – but in the context of cybersecurity, it’s become increasingly prevalent over the last few years, as the findings of Dimension Data’s Executive Guide to the NTT Security 2019 Global Threat Intelligence Report indicate.

Credentials are the ‘keys to your kingdom’, protecting your organisation’s networks and data from unauthorised access. This makes stolen credentials a valuable target for threat actors.

Phishing and malware are cybercriminals’ techniques of choice

Some 67% of all credential theft attacks are associated with phishing, which involves cybercriminals attempting to send recipients to a fake website – one that looks legitimate – via an email. The motive for this is to obtain user name and password combinations.

We’re seeing an increasing number of credential theft attacks targeting cloud platforms, as the graph below illustrates:

Figure 1: Four platform targets comprised almost 97% of all credential theft attacks in 2018

Microsoft Office 365 credential targeting accounted for 45% of all phishing attacks. This suggests that organisations are increasingly migrating to cloud-based platforms, driven by ongoing digital transformation across all industries and the recognition by businesses of the need to become more ‘digitally native’. However, by doing so, they’re exposing themselves to a number of new cyberthreats – credential theft being one.

Moving your systems (including email) beyond your traditional corporate boundaries means that the existing controls you have in place may no longer be sufficient. This potentially exposes your confidential information ─ from valuable business intelligence (intellectual property), to highly regulated data such as personally identifiable information, protected healthcare information, payment card information, and other sensitive data ─ to the risk of theft. So, all it takes is for someone to access those credentials and log in through the organisation’s ‘front door’. Attackers don’t need to look for vulnerabilities in websites or applications. If they successfully target individuals and steal their credentials, they can simply log onto the applications and gain entry into the organisation as a whole, to syphon off data and conduct other nefarious activities.

As the title of this article suggests, this is how organisations unwittingly ‘hand over the keys to their kingdoms’ (i.e. their data, applications, intellectual property, and access to their cloud infrastructure) to cybercriminals.

We believe that organisations need to be concerned about the growth of Microsoft Office 365 and the alarming increase in credential-based attacks.

More about malware and malspam attacks

While credential theft attempts via phishing accounted for double the number of those involving malware (33%), the latter shouldn’t be overlooked.

Malspam is an evolution of traditional malware, which now often incorporates capabilities designed to steal credentials. And that involves more than just installing keyloggers, which monitor the information that a user enters into a system. Today, malspam attacks are specifically targeting the credentials that users enter into online applications, such as Internet banking platforms and other password-protected sites.

Today, malspam attacks are specifically targeting the credentials that users enter into online applications, such as Internet banking platforms and other password-protected sites. Read more @Dimensiondata. Tweet this

Which sectors are most at risk of credential theft?

NTT Security’s research conducted during 2018 shows that:

• The technology sector was most heavily impacted by phishing credential theft (36%).
• The top five impacted sectors accounted for 83% of phishing credential theft.
• The retail (36%) and telecommunications (28%) sectors were most heavily impacted by credential theft malware, and therefore should consider investing in more malware protection.
• The top five impacted sectors accounted for 91% of credential theft malware.

Figure 2: Sectors most targeted for credential theft phishing attacks

Figure 3: Sectors most targeted for credential theft malware attacks

Access, influence, and profit: an attractive trio of motives for credential theft attacks

Cybercriminals’ motives to launch credential theft attacks are generally threefold: 

Access: The use of stolen credentials to gain access to resources and the underlying data; this may involve both short-term and persistent access.

Influence: This involves manipulating a person, or the impression of a person, brand, or product. It may include activities related to reputational damage, blackmail, and extortion.

Profit: Attackers use stolen credentials for fraudulent activities including:

• illegal financial transactions
• bartering with other cybercriminals (i.e. selling stolen credentials to the highest bidder)
• identity theft for financial gain

Often, cybercriminals invoke a ‘pay-per-use’ model: those who’ve stolen credentials will charge other threat actors according to the volume of data they choose to access, over a specific period.

Attack patterns and methodologies

Cybercriminals are constantly refining their credential theft toolsets and tactics, and types of cyberattacks – both technical and non-technical.

What do we know about the frequency and duration of credential threat attacks? This generally depends on the attacker’s motive.

Some are quick: ‘Let’s infiltrate the organisation’s systems, steal the credentials we want, and get out fast’. Others are more prolonged where the attacker keeps a low profile, and steals and uses credentials in a limited way, to avoid detection and establish a longer-term foothold within the business.

As defenders against cybercrime, we need visibility of these activities to detect various kinds of attacks, regardless of the threat actor behind them.

If an organisation is only willing and/or able to invest a small percentage of their IT spend in combatting credential theft, they’ll likely only be able to prevent or detect issues such as hacktivist activity by some of the more minor cybercriminal groups. Larger and/or more high-profile organisations tend to increase the amount that they spend to guard against more calculating threat actors (e.g. nation-state groups).

Ultimately, an organisation’s current and desired cybermaturity profile regarding credential theft will depend on a variety of factors. These include the risk profile of the business, including compliance regulations relating to them, location, culture, competitors, and how much they’re prepared or able to invest in bolstering their cybersecurity defences.

Ultimately, an organisation’s current and desired cybermaturity profile regarding credential theft will depend on a variety of factors. Read more @Dimensiondata. Tweet this

What’s the business impact of a successful wave of credential theft attacks?

Stolen credentials can have a severe, immediate impact on organisations. This often includes:

• loss of confidentiality, integrity, or availability of sensitive data related to the theft of proprietary information
• disruption of regular business operations
• financial losses (including the unplanned cost of forensic investigations, clean-up operations, and legal counsel)
• harm to an organisation’s reputation and consumer and employee brand trust, which is difficult, if not impossible, to recover

Longer-term impact may also include C-level executives being forced to resign, devaluation of stock prices, stalling of planned mergers and acquisitions, loss of intellectual property, and compliance penalties.

Credential guards: how to get on the front-foot

1. Implement multi-factor authentication on all accounts and systems.
2. Segment your network environment.
3. Enforce ‘least privilege’ access and segregation of duties.
4. Implement network activity monitoring and data loss prevention initiatives.
5. Educate employees about being vigilant regarding phishing attacks and ensure that everyone understands that security is their responsibility.
6. Eliminate passwords as far as possible, and if one is used, make sure it’s not re-used elsewhere across multiple sites.
7. Implement processes that cover incident response handling.