Full disclosure: I wasn’t physically at BlackHat 2017. But my colleagues who attended told me about the keynote by Alex Stamos, CSO at Facebook.
While a 2017 Harvey Nash/KPMG survey of nearly 4,500 CIOs and tech leaders globally found that cyber security vulnerability is at an all-time high, the biggest jump in threats came from insider attacks which increased from 40 percent to 47 percent over the last year. And that’s a modest estimate; reports from an IBM Security survey suggested that 60 percent of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors.
Really, it’s not just me saying that Active Directory is the crown jewel. It's actually them, the hackers, that de facto target the active directory in almost every advanced attack. They look for domain credentials and administrative accounts, they practice domain reconnaissance, privilege elevation, targeted attacks against the domain controller and more. Their motivation is similar to terror. For example: produce widespread fear, obtain recognition and attention of media, steal money, damage facilities and functionalities. This is why it was not surprising to learn about the QakBot Trojan causing a mess.
Recently, the new draft of NIST guidelines was released and proposed a shift in password strategy from periodic changes with complexity requirements to use of a long "memorized secret.” Many organizations have forced regular password changes and password complexity but this has failed them.
In a previous blog, we discussed the prevalence of weak passwords in the Enterprise. The fact of the matter is, once an attacker gains access to password challenges and exfiltrates them for offline cracking, they can crack them in most cases.
Password leaks from public breaches help us learn how people think, allow us to identify patterns and build dictionaries of passwords. As password cracking methods evolve, Upper characters, Lower characters, Special characters and Digits (ULSD) recommendations and password complexity mean less.