How many user accounts do you have? Emails, social media, online shopping, streaming services—and that doesn’t even begin to account for professional logins. By the time you add them all up, it’s likely one hundred or more unique accounts.
According to NordPass, the average user maintains an average of 168 logins for personal purposes, and no less than 87 for the workplace. This is an extraordinary amount to keep safe, and threat actors realize that it’s only a matter of time before users make a wrong move and enter those credentials somewhere they’re not supposed to. And this is why, inevitably, they manage to swipe a pair (or two) and sneak into an undisclosed network.
When those instances occur, and a team is effectively dealing with a rogue insider threat (even though the insider is nothing more than a threat actor who’s compromised a legitimate account), organizations can be prepared to handle that exact circumstance. Solutions like penetration testing and red teaming help security teams see what an attacker sees, look for what they would look for, and shore up those weaknesses that they would otherwise exploit.
In that spirit, here are a few tips to proactively harden your environment against compromised credentials.
In a word: everything. Credentials might not be the “keys to the kingdom,” but they can certainly help to unlock the door. Once compromised, cybercriminals can gain entrance both easily and undetected, wreaking as much havoc as a malicious insider – maybe more.
Not only can attackers access everything your employees can, but what’s worse, they can do it without being noticed. Since they got in (and are snooping around) on a legitimate account, a lot of security solutions won’t flag their nosy deeds until much further down the line (probably when it’s too late). If the attacker is accessing things that user is “supposed to access,” there’s no anomaly and no clock on the dwell time.
They could even exfiltrate sensitive data (to which the user has legitimate access) and make a clean escape. So, in other words, compromised credentials give cybercriminals something of a “license to do evil,” making their subsequent actions all the more dangerous.
Granted, when we think of “stolen passwords,” we may not immediately think of penetration testing as an intuitive source of defense. But maybe we should.
Credentials get stolen because there is a chink in the armor. Some weakness went undiscovered and was eventually exploited by attackers. Pen testing can help identify weak or compromised credentials, as well as weak authentication (e.g., lack of MFA, or other brute force protection mechanisms). This helps prevent ransomware attacks, password spraying, and other exploits that target low-hanging fruit.
For example, pen testers can simulate tactics such as credential stuffing, a common attack type targeting reused passwords. By injecting credentials swiped in a breach on one system into a login for another system, many pen testers (and more nefariously, threat actors) gain access to multiple accounts. This happens when the user has used the same username, password, or both on more than one occasion, which is why it is important to utilize a password manager that can generate strong, distinct passwords for every new site – and keep track of them all.
Additionally, pen testing can help provide insight into what could happen after credentials are stolen. These internal pen tests can demonstrate how threat actors can find and exploit vulnerabilities within a system, like outdated software, misconfigurations, or weak access controls. For example, an internal pen tester with basic credentials could exploit unpatched software to gain access to escalate their privileges and gain access to sensitive data. Since the perimeter is never impenetrable, these tests can help organizations close gaps internally to ensure that a breach causes limited damage.
Red team engagements put your enterprise to the test in other ways, essentially testing everything to give your detection and response strategy a comprehensive shake-down. Red teaming helps ensure that a team can detect, contain, and respond effectively to threats. The findings can inform the improvement of security policies and procedures, including the Blue Team’s detection and response.
Why is this beneficial to keeping credentials safe? For the same reason. These are some of the tactics an adversary would employ to pilfer your passwords in the first place:
Red team engagements can also provide “assumed breach” scenarios to focus on post-exploitation activities. While pen tests have a limited scope to fully document the weaknesses within a single system or network, red teaming is more goal focused, allowing them to demonstrate how an attacker could potentially gain full control. These scenarios can often reveal misconfigurations in internal systems, weak access controls between network segments, or blind spots in security monitoring. The trick is to “hack yourself” first to test how well your security team identifies the infiltration and whether response measures are effective so when cybercriminals come along, they won’t be able to linger long enough to do real damage.
Fortra offers a comprehensive suite of offensive security tools and services for getting the job done and keeping your credentials safe. It includes:
The more you test your defenses, the more you’ll find mistakes – but don’t worry, that’s the whole point. Many practitioners prefer to stick their heads in the sand and not test because they’re afraid of what they might see (and how it will make them look to higher-ups). Or they’re afraid that they’ll find too many errors and not know where to begin.
Fortra’s wide range of offensive security techniques and tools can help you harden your environment against credential-based attacks. By helping you gain visibility into your environment, think like an attacker, and attack like a sophisticated threat actor, it can help you spot the same weaknesses they will see – only while you still have time to do something about them. Contact a Fortra expert today to get started.