If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.
Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn't kept pace.
Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn't be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.
Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.
It's all about the credentials
Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the midpandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.
It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.
Nearly all of the hundreds of breach reports I've read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.
One doesn't need to look far to find major companies and government agencies that have fallen victim to these attacks. Even for the most secure entities, it can just be a matter of time. Last year's SolarWinds breach, which went unnoticed from at least March to December, enabled Russian actors to breach U.S. government agencies and companies like Microsoft and FireEye. The attackers used password guessing and password spraying attacks, targeting inappropriately secured administrative credentials to infiltrate systems, according to a CISA alert from mid-December. This initial access, along with the rest of the attack, was so stealthy, it took months to detect the breach, long after the damage had already occurred.
Events like these are nothing new. In April 2019, Dominion Healthcare revealed its system was breached with unauthorized access that occurred a whopping nine years earlier. Organizations like GoDaddy, Twitter, Amtrak and the U.S. Department of Justice have all experienced credential-enabled attacks that happened right underneath their noses.
It's no secret that the explosion in remote work has dramatically increased the risk of being breached. In April 2020, hackers obtained nearly 25,000 email addresses and passwords belonging to the National Institutes of Health, the World Health Organization and the Gates Foundation, according to the Washington Post. And in May, a hacking group called Shiny Hunters claimed to have stolen 200 million records with credentials from at least 13 companies, according to Wired.
A password away from pay dirt
Attackers continue to evolve. The rise in phishing and the growing number of compromised credentials floating on the dark web represent a grave threat to all organizations. However, security teams have largely not changed in response. And we can't expect results to change by continually using the same approaches that leave out the keys to the kingdom.
The current risks aren't just technology problems; they’re also problems of people and processes. Hackers continually exploit credentials because it's easy, and they remain the path of least resistance. All the while, IT departments are on wild goose chases fielding thousands of investigations from threat detection tools. This strategy is not only ineffective, it’s also inefficient, unsustainable and leaves teams scrambling to cure the symptoms while doing nothing to address the underlying illness of compromised credentials.
Why ‘blaming the intern’ won’t save startups from cybersecurity liability
Compounding the issue, many organizations are looking to encryption and virtual private networks (VPNs) to secure their devices and workers better — but these tools are not the answer. A VPN offers little protection when an attacker obtains those credentials to get inside the network. As VPNs have grown in popularity, criminals have also doubled down on strategies to exploit them. In fact, the National Security Agency issued a cybersecurity advisory in July 2020 warning that VPN networks, in particular, are “prone to network scanning, brute force attacks and zero-day vulnerabilities.”
Detection will always play a role in addressing symptoms of cyberattacks, but it is ultimately like looking for a needle in a stack of needles. What we now need is an organizational change that will holistically fix the problem. We must rethink our strategy by getting the most out of existing tools, focusing on the most significant risk areas and connecting the data and the dots to see how breaches happen.
Finding the needle in the needle stack
IT organizations must shift their enterprise security strategy to detect credential-based attacks before they become a problem. Only a combination of technology, people and processes can learn what normal and standard employee behavior, especially around their credentials, looks like, and be able to immediately call out anomalous, potentially dangerous activity. Teams also need a playbook to automate how to identify security incidents and better respond to phishing malware or insider threats. With a framework like MITRE ATT&CK, investigators can learn more about attackers' behaviors and tactics. Automated and repeatable processes also lead to repeatable outcomes.
By having the ability to immediately see domain credentials, lateral movements and accounts escalating to administrative privileges, organizations can better defend against many of these attacks as they happen. While gaining visibility into credential usage may not stop every attack, it can minimize damage by identifying exactly how and when a criminal has breached the gates.
If you and your security team are ever feeling stuck — just remember — it's the credentials.