The cyber threat landscape is undergoing an important shift as attackers choose stealthy credential-based attacks over malware. An annual threat report published by CrowdStrike last month revealed that 68% of threat detections from the past three months were malware free. The use of compromised credentials and existing system tools, rather than malicious code, makes attacks difficult to detect by traditional antivirus tools. Adversaries can masquerade as legitimate users, all the while probing the system for opportunities to increase their access privileges and draw closer to their objectives.
The report also showed that bad actors are capitalizing on these attacks more rapidly. On average, attackers only needed an hour and 32 minutes to begin moving laterally through a system after an initial breach—three times faster than last year’s average—leaving incident responders a narrow window of opportunity to identify and contain the attack before it metastasizes. These breaches can be devastating if they go undetected, as evidenced by the recent SolarWinds and Colonial Pipeline attacks, both of which were perpetrated using compromised credentials.
As criminals change their tactics to evade cyber defenses, organizations need to adapt their security posture in response. Fortunately, there are a number of proven strategies you can use to protect against credential hijacking, several of which are based on the growing trend toward zero trust architectures.
Use Multi-Factor Authentication
Perhaps the single most effective and simple step organizations can take to prevent credential hijacking is enforcing multi-factor authentication. Adding an additional authentication factor, such as a physical token or single-use mobile phone code, drastically reduces the odds that attackers will infiltrate a network with compromised credentials.
Control Privileged Access
Compromising privileged accounts, such as administrator and service accounts, is a key goal of adversaries attempting to move laterally within a network. Organizations should maintain a full inventory of these high-risk accounts, subject them to enhanced monitoring and perform regular audits to ensure they are promptly removed when no longer needed.
Monitor Behavior
Attackers using hijacked credentials may be invisible to signature-based detection methods, but there are some telltale signs that behavior analytics tools can look for to spot an imposter. By deploying these tools alongside a security information and event management (SIEM) solution, organizations can establish baseline patterns representing normal account behavior. When deviations from these baselines are detected, automated alerts can be sent to prompt further investigation.
Enlist Expertise
Cyber threats are constantly adapting and evolving to outmaneuver organizations’ defenses. Enlisting support from experienced cybersecurity experts, who understand the latest trends and developments in the field, will help your organization stay one step ahead of the bad guys.