Credentials in terms of cyber threat intelligence (CTI) refer to methods used to verify a users identity, commonly these are a username and password. These credentials are classified as compromised credentials when an unauthorized user gains possession of them. The persistence of this problem is unsurprising given the continued digitization of business operations; the weak, recycled passwords selected by users; and the high value placed on compromised credentials on the cyber underground due to the significant damage or disruption that can be caused by compromising them.
As well as getting a handle on your own organization’s compromised credentials, those of your third-party services are another matter. Third party services are increasingly interconnected with the organizations they serve. They often share systems and data, but unfortunately they may not share the same strength of cybersecurity infrastructure. In turn, a third party service usually has its own third party services, resulting in a dizzying maze of online assets with varying security. Compromised credentials provide threat actors with an easy access point into the third party network, which they can use as a launch pad into targeting your own organization from which they can conduct malicious behavior such as deploying phishing campaigns, installing malware, and selling or destroying your data. 19% of breaches worldwide were caused by a compromised business partner.
When the consequences of a compromised credential attack will blight both stakeholder trust and the bottom line, organizations must seek strategies for protecting themselves against compromised credential attacks from within their supply chain.
How Are Credentials Compromised?
Compromised credentials provide threat actors with the keys to the kingdom. The value of these credentials is so high that threat actors are relentless in exploiting this attack vector. Some of the most prevalent methods used are:
Phishing Campaigns: This is a cost-effective attack vector that sees a threat actor emailing employees and tricking them in some way, possibly by pretending to be a trusted entity such as a bank or using emotional appeals, to click a malicious link or divulge sensitive information.
Brute Force Attacks: Threat actors use tools which automatically generate passwords which the actor then works through in a trial-and-error to attempt to access the user account. Users who equip passwords that are lacking in length and complexity are particularly vulnerable to this attack vector.
Insider Threats: Sometimes employees innocently share credentials by not following security protocols, while other times disgruntled employees may deliberately steal information and sell it on to other threat actors for financial gain.
Malware: Malware installed on the network can capture credentials without knowledge of the organization. Keyloggers, for example, can record keystrokes while other malware will take screenshots of login pages and more, giving threat actors the information they need to steal the account information.
How Can You Combat It?
Audit Your Vendors: Before onboarding or purchasing your third party service, it is critical to perform a comprehensive risk assessment that covers their cyber security systems and incident response. This way you can understand the risk they pose to your organization, including existing compromised credentials and likelihood of related attacks, before they are integrated with your organization.
Use The Principle of Least Privilege (PoLP): Don’t give third party vendors more access than they need to complete the job. Organizations following this rule will limit the avenues a threat actor who has infiltrated the third party can use to move laterally to infiltrate your own.
Apply Zero Trust Security: Acknowledging threat actors exist both with and outside of a network helps protect your organization. This model of security does not assume correct credentials are enough proof for a user to access data. Each access request requires multiple components to be confirmed, such as multi-factor authentication (MFA) and device health and location, before permission is granted. This means even if a threat actor is moving laterally through a third party to target your organization, you can remain secure.
How can Intel 471 Help?
Bring visibility to third party risks. We provide unique Cyber Threat Intelligence (CTI) by augmenting automatic collection with a global network of analysts. The following capabilities allow us to swiftly help our customers defend against attacks stemming from third party compromised credentials.
Continuous Monitoring: We continuously monitor for relevant compromised credentials and alert your organization as soon as they hit the cyber underground; the sooner you know about an issue, the sooner you can inform your third party and prohibit their access until they address the issue. Our CTI also allows you to differentiate between new compromised credentials and older, repackaged releases so that you can escalate your incident response to the appropriate level.
Unique Visibility: Intel 471 are able to locate compromised credentials from sources unique to our research capability including threat actors, account marketplaces, infected machines, and malware sources. This comprehensive oversight allows us to alert you as soon as credentials relevant to you are identified so you can respond as fast as possible.
Map an Attack Surface: Intel 471 will identify all known, unknown, and rogue assets within an attack surface. From a long-forgotten API endpoint to a misconfigured cloud storage bucket, you can locate all vulnerabilities that a threat actor might leverage to compromise credentials and alert your third parties to them.