In recent years, we have seen hospitals, insurance companies (Aetna), giant corporations (Sony) retailers (Home Depot and Target), and tech companies (Yahoo, LinkedIn, Dropbox) all breached because of some type of insider threat or compromised credentials. So, it’s no surprise that Insider threats are a growing concern for organizations.
While it’s impossible to guarantee the complete security of any organization, with the proper knowledge of how cyber criminals are breaking in, they can better arm themselves with the right processes, tools and policies to reduce their risk and make it extremely difficult for hackers to get inside the network.
In this blog, I’d like to provide and introduction to credential theft and discuss some of the top methods cyber criminals use to compromise credentials and laterally move inside the network as well as tips organizations can use to reduce their risk.
Once a hacker has picked their victim, they are looking for an opportunity to find a smallest hole to get inside the network. It could be misconfiguration of ssh ports, problem in anti-virus update or even weak security spots with anyone who works with these corporations. The infamous Target breach was done through an HVAC contractor who worked for Target.
Credential Theft is one of the most common ways for attackers to get inside the network.
The top three ways credentials can be compromised:
- Reusing credentials: People often reuse their passwords both outside and inside the company to avoid having to remember multiple passwords. Once hackers get hold of credentials from one breach, it’s only a matter of time before they use them to attack other targets using those credentials
- Using unsecured computers: Using unsecured computer to login and checking emails or other personal information can cause a credential theft.
- Using unsecured network: People love free wireless, and its everywhere -- airports, restaurants, coffee shops, libraries, hospitals-- but unfortunately so are hackers looking for prey. Users should be careful in choosing and sending sensitive information over a public wifi network as they can be subject to a man-in-the-middle attack and have their credentials compromised.
What happens after cyber criminals get inside the network? Once cyber criminals are inside the network they look for opportunities for lateral movement. They want to be able to more easily move around to get what they are looking for. They look for assets or accounts that can provide sensitive information or higher privileges.
Here are five areas that cyber criminals focus on to gain lateral movement:
- Active Directory accounts where they could do a Password Brute Force to gain access to user credentials
- Privileged Accounts that belong to IT teams to compromise the network
- Credentials that gain them access to assets storing sensitive data (Executives, HR, Finance, Legal, Customers).
- Stale Privileged accounts that nobody is watching
- Password hashes that are stored locally (hackers can use them to gain access to not only on that machine but many other machines if the same account is used on other machines, which is common practice for IT teams.)
So, what can an organization do to defend itself? As we have seen, cyber criminals are crafty. If you close the door, they’ll come in the window. If you close the window, they will try to come in through the chimney or a vent. It’s important for organizations to continually look for ways to reduce risk of credential compromise.
What can you do to better defend your organization? Here are top tips:
- Control online and physical access of Domain Controllers
- Keep track of and monitor the activities of Privileged Accounts
- Look for anomalies in user behavior
- Keep track of accounts for Employees leaving the company to reduce stale accounts
- Keep track of and monitor third party contractors’ accounts and privileges
- Implement complex password policies and regularly check the complexity of passwords
- Security training and feedback to employees
- Implement Multi-Factor-Authentication (MFA) to verify identity before providing access to key systems
To learn more about how you can thwart an attacker’s attempts to breach and move around a network I suggest reading Avi Kama’s blog Disrupting an Attacker from Exploiting Domain Credentials. I also suggest Eran Cohen’s blog for tips on how we can all lead a Healthy digital life to prevent personal credential compromise.