Enterprise Security: One Password Away From Disaster

The Cybersecurity Paradox: Innovation vs. Stagnation

A common definition of insanity involves repeatedly performing the same action while anticipating a different result. Considering this, it could be argued that the current state of the cybersecurity industry reflects this very pattern.

Malicious actors are consistently developing increasingly complex and advanced attack techniques. However, a significant number of security organizations continue to rely on the same technological strategies that were prevalent a decade ago.

The landscape has undergone a dramatic transformation, yet cybersecurity measures haven't evolved at a corresponding rate.

The Vanishing Perimeter

Modern distributed systems, characterized by the widespread dispersal of both people and data, have effectively eliminated the traditional network perimeter. This development is particularly advantageous for hackers.

Existing security approaches, such as correlation rules, manual procedures, and the isolated examination of alerts, offer only superficial solutions. They primarily address the symptoms of attacks rather than tackling the root causes.

The Credential Challenge

User credentials are intended to serve as the primary defense mechanism, acting as the gatekeepers to sensitive systems. However, a lack of adaptation within Security Operations Centers (SOCs) is hindering effective detection of malicious activity.

A fundamental reassessment of cybersecurity strategy is crucial. This involves a shift in focus towards analyzing credential usage patterns and proactively preventing breaches before they escalate into larger-scale incidents.

A Call for Strategic Rethinking

The industry needs to move beyond reactive measures and embrace a more proactive and intelligent approach to threat detection and prevention.

Focusing on understanding how credentials are exploited, and implementing robust monitoring and analysis systems, is paramount to staying ahead of evolving threats.

The Critical Importance of Secure Credentials

Compromised credentials represent a longstanding and escalating primary method of attack. The shift towards remote work, particularly accelerated by recent global events, has broadened the potential attack surface. Organizations are facing increased challenges in maintaining network security as employees connect from less secure environments.

Reports to the FBI indicated a 400% surge in cybersecurity attacks in April 2020, compared to pre-pandemic levels. Considering this data, the current threat landscape in early 2021 is likely even more substantial.

The Risk Within Active Directory

A single compromised account can provide an attacker with entry into the active directory, allowing them to generate additional credentials. Consequently, every user account should be treated as potentially vulnerable.

Analysis of numerous breach reports consistently reveals that compromised credentials are a central factor. The 2020 Data Breach Investigations Report highlights that over 80% of hacking incidents are facilitated by brute force attacks or the exploitation of lost or stolen credentials.

Credential Stuffing and Lateral Movement

Credential stuffing attacks are a particularly effective and prevalent tactic. Attackers gain initial access, exploit vulnerabilities within the system, and then move laterally to acquire higher-level privileges.

Numerous high-profile organizations and government entities have been victims of these attacks. Even those with robust security measures are susceptible, often a matter of when, not if.

Recent High-Profile Breaches

The SolarWinds breach of last year, undetected for months from March to December, exemplifies this risk. Russian actors leveraged this access to compromise U.S. government agencies and companies such as Microsoft and FireEye.

A CISA alert detailed that the attackers employed password guessing and password spraying techniques, specifically targeting inadequately protected administrative credentials to gain initial system access. The stealth of this attack meant detection occurred long after significant damage was done.

Long-Term Vulnerabilities

Such incidents are not isolated. Dominion Healthcare disclosed a breach in April 2019 stemming from unauthorized access that began nine years prior.

Organizations including GoDaddy, Twitter, Amtrak, and even the U.S. Department of Justice have all experienced attacks enabled by compromised credentials, often going unnoticed for extended periods.

The Impact of Remote Work

The rapid expansion of remote work has undeniably heightened the risk of security breaches. In April 2020, hackers obtained approximately 25,000 email addresses and passwords associated with the National Institutes of Health, the World Health Organization, and the Gates Foundation.

Furthermore, in May, the hacking group Shiny Hunters claimed responsibility for stealing 200 million records containing credentials from at least 13 different companies.

The Vulnerability of Credentials: A Critical Security Challenge

The threat landscape is in constant flux, with adversaries continually refining their tactics. The increasing prevalence of phishing attacks and the expanding volume of stolen credentials available on the dark web pose a significant danger to organizations of all sizes.

Despite this escalating risk, security protocols have remained largely static. Expecting different outcomes while employing the same, demonstrably flawed methods – methods that inadvertently expose critical access points – is unrealistic.

Beyond Technology: The Human and Procedural Factors

Contemporary security challenges extend beyond purely technological issues; they encompass vulnerabilities in both personnel and established procedures. Attackers consistently target credentials due to their accessibility, representing the easiest route to compromise a system.

Meanwhile, IT security teams are often overwhelmed, dedicating resources to investigate a multitude of alerts generated by threat detection systems. This reactive approach is not only unproductive but also unsustainable, focusing on treating symptoms rather than addressing the root cause: compromised user accounts.

The Limitations of Traditional Security Measures

Many organizations are implementing encryption and Virtual Private Networks (VPNs) to enhance the security of their devices and remote workforce. However, these solutions offer limited protection when an attacker successfully obtains valid credentials.

A VPN provides a false sense of security, as it does not prevent unauthorized access when credentials are compromised. The increasing adoption of VPNs has, in turn, spurred a corresponding increase in criminal efforts to exploit their vulnerabilities.

Notably, the National Security Agency issued a cybersecurity advisory in July 2020 specifically highlighting the susceptibility of VPN networks to network scanning, brute-force attacks, and zero-day exploits.

A Shift in Strategy: From Detection to Prevention

While detection remains a necessary component of cybersecurity, it’s akin to searching for a single needle within a vast haystack. A fundamental organizational shift is required to comprehensively resolve this issue.

We must re-evaluate our security strategy, maximizing the utility of existing tools, prioritizing the most critical risk areas, and integrating data analysis to understand the pathways through which breaches occur.

Key Considerations for a Proactive Approach

Focus on credential protection as the primary defense.
Implement robust multi-factor authentication (MFA) wherever possible.
Continuously monitor for compromised credentials.
Invest in employee security awareness training.
Analyze breach data to identify patterns and vulnerabilities.

Addressing the Challenge of Credential-Based Attacks

Modern IT departments are required to evolve their enterprise security approaches to proactively identify attacks that exploit compromised credentials. A successful strategy necessitates a holistic approach, integrating technology, skilled personnel, and well-defined processes.

This combination allows for the establishment of a baseline understanding of typical employee behavior, particularly concerning credential management. Detecting deviations from this norm is crucial for flagging potentially malicious activity.

The Importance of a Security Playbook

Security teams require a pre-defined playbook to automate the identification of security incidents and improve responses to threats like phishing, malware, and insider risks. Such a playbook streamlines incident handling and reduces response times.

Leveraging frameworks like MITRE ATT&CK provides investigators with valuable insights into attacker methodologies and tactics, enhancing their ability to understand and counter threats.

Automated and standardized procedures are essential for achieving consistent and predictable security outcomes.

Gaining Visibility into Credential Usage

The ability to monitor domain credentials, track lateral movement within the network, and detect privilege escalation attempts is paramount. This real-time visibility empowers organizations to defend against attacks as they unfold.

While complete prevention of all attacks isn't always achievable, comprehensive credential usage monitoring significantly minimizes potential damage by pinpointing the precise entry point and timeline of a breach.

A Key Reminder for Security Professionals

When facing security challenges, remember to prioritize the investigation of compromised credentials. Often, the root cause of a security incident lies within the misuse or theft of legitimate credentials.