Decentralized identity and verifiable credentials, SSO/MFA

Credential Theft Protection: Defending Your Organization’s Data

Share

Cyberattacks often begin with reconnaissance. Before they launch an attack, threat actors poke and prod at an organization’s defenses, looking for vulnerabilities. If you’ve invested in robust cybersecurity solutions, you may feel you’re protected against that threat.

But what if your attackers don’t target your corporate network? What if, instead, they target your employees? And what if your employees don’t even know they’re being targeted?

This is the threat posed by credential theft, one of the most commonly used methods of illegal access. If these criminals get their hands on the right user credentials, they can steal sensitive information, commit financial fraud, and even hold your systems and data hostage.

It's not enough to know that an attack is possible. Your organization needs to take proactive steps to defend against credential theft. By combining advanced technology and strict security policies, you can avoid a breach and save your organization millions.

Understanding Credential Theft

Credential theft is when threat actors steal the usernames, passwords, or other access methods of an organization in order to get into its systems. Attackers often use social engineering to gain employee credentials. For example, they might send an email posing as IT to request login information or use a compromising secret to blackmail an employee. Whether they're tricking, manipulating, or coercing for login information, these attackers can work their way into your network and start causing havoc. At that point, everything from data manipulation to ransomware is on the table.

How data breaches lead to credential theft

Social engineering isn't the only way threat actors obtain credentials they shouldn't have. In fact, stolen credentials are part of a vicious cycle in cybersecurity. After a successful data breach, attackers often sell the credentials they steal on the dark web. Other attackers buy them, use them to perpetrate breaches of their own, and then sell the credentials they've stolen to more criminals. This cycle has contributed to a 643% increase in data theft attacks over the past three years.

Differentiating between credential theft and identity theft

Credential theft is similar to identity theft, but the two are distinct. Identity theft targets personal information like social security numbers or credit card numbers. Threat actors intend to use that information to impersonate the victim and ultimately commit financial fraud.

When a threat actor performs credential theft, they're only targeting a person's login information. Their aim is to get access to accounts and systems that person uses.

That said, credential theft can play a part in identity theft. For example, when an attacker steals someone's username and password to access their bank account, that's credential theft. If they use that login information to buy something under their victim's name, that would expand the crime to include identity theft.

Common Techniques Used in Credential Theft

Phishing: The frontline attack strategy

Say an email arrives in your inbox that appears to be from your bank. You open it and read that you need to log into your account to fix an error or the bank will freeze your account. The email includes a link you can follow to do the fixing. But as you keep reading, you notice typos and unusual phrases that don't sound like previous emails from your bank. What's going on?

This is a classic phishing attempt: an email designed to trick you into handing over credentials. Attackers frequently impersonate organizations you trust to get you to believe their message is genuine without closely inspecting it. If you had followed that link and tried to log in, it's likely a threat actor was waiting on the other side to copy down your information and use it against you.

Email phishing attacks are just one of several kinds of phishing attacks. Others include SMS phishing, QR code phishing, and HTTPS phishing.

The role of advanced persistent threats (APTs)

Individual threat actors are bad enough, but the danger grows significantly when advanced persistent threats (APTs) get involved. APTs are sophisticated groups of cyber criminals that are often sponsored — or even controlled — by nation-states. They're able to use a variety of techniques to try to steal your employee's credentials. Some are purely virtual, such as zero-day exploits, custom malware, and n-day exploits. Others can cross into the real world, such as social engineering or physical infiltration.

APTs target both other nation-states and enterprises working within them. Just ask the more than 2,300 public and private organizations hit in the 2017 NotPetya ransomware attack. Keeping them out requires constant vigilance and a resilient security posture.

The emergence of credential-stuffing attacks

There's a reason cybersecurity professionals warn against reusing passwords. When login credentials hit the dark web after a breach, threat actors buy them up in bulk and feed them to bots. Those bots then run all the credentials in the set on a huge number of websites and applications. If any one of those locations accepts the same username and password combination, the threat actors have gained a new opportunity to exploit its owner.

How Credential Theft Impacts Organizations

Financial repercussions and loss of trust

Once they've stolen your credentials, the first thing most threat actors will do is go for your finances. They'll commit fraud with your funds, draining your accounts or making unauthorized transactions.

But money is only the beginning. A breach can leave a much longer tail of havoc in terms of reputational damage. When customers know your organization has let their data fall into the hands of cyber criminals, they lose trust in it. They now have every incentive to take their business elsewhere. After all, if it happened once, what's to stop it happening again?

Legal consequences and compliance violations

As if the breach itself weren't bad enough, it can also create a fallout of compliance-related and legal punishments. Organizations that handle private health information (PHI) have to worry about fines from the Department of Justice's Office of Civil Rights, which has levied $142,663,772 in fines since 2003 for HIPAA violations. Merchants can see fines up to $500,00 per PCI DSS violation. In some cases, customers can even sue an organization after a data breach, which can lead to costly settlements.

Proactive Strategies for Defending Against Credential Theft

Implementing strong password policies

Passwords are your company's first line of defense against threat actors. Even though 91% of people understand that reusing passwords creates a security risk, the average employee still uses the same password for around 13 different accounts. People also tend to use fairly weak passwords: 64% of passwords contain just eight to 11 characters.

Your organization needs to put tools and policies in place to protect employees from themselves. They should be required to create passwords that are long and complex, using uppercase and lowercase letters, numbers, and special characters. Passwords should then be updated regularly. A password manager can make both of these policies much more convenient to follow, and that’s important. After all, policy doesn't mean much without adherence.

The importance of multi-factor authentication (MFA)

Multi-factor authentication can go a long way toward shoring up your defenses. With MFA, threat actors would need to steal not just employee credentials, but also gain access to all the other authentication factors. That double layer of defense can drastically lower the risk of credential theft and protect your networks and data.

Regular security audits and employee training

If employees don't understand your security policies, they're going to have a hard time executing them. You can combat that by training them on key cybersecurity issues and how to handle them. Take the time to explain how phishing, social engineering attacks, and credential theft work, and you'll give your team the best chance possible to keep the organization safe.

Of course, one-off training can't guarantee perpetual safety. Threat actors work every day to get past your defenses. If you don't perform regular audits of those defenses, they may find vulnerabilities before you do. Kicking the tires every so often helps you stay one step ahead.

Leveraging advanced security technologies

Staying secure requires a network of technologies and solutions that reinforce one another. This list of suggestions can start you on your way:

  • Mobile endpoint security can detect and respond to phone-focused phishing attempts in real time.
  • Threat intelligence leverages mobile telemetry to track APT activity, revealing the latest attack strategies so you're prepared to defend against them.
  • Zero-trust policies go beyond credentials by monitoring user activity, spotting abnormalities, and reacting to prevent misuse.

Keeping Credentials Secure 

In the modern kill chain, credential theft is just the beginning. With the access it provides, threat actors can run wild on an unprepared system. To keep your data secure — whether it's on mobile devices or in the cloud — you need a strategy that prepares employees for attempts to steal their credentials. That strategy also needs to incorporate both traditional endpoints and smartphones, which have become increasingly common points of attack for threat actors.

What does all of this look like in practice? Watch the free Lookout webinar Understanding the Modern Kill Chain to Keep Data Secure in 2024 to learn from two real-world examples. Threat actors are always hunting for new ways into your systems. With Lookout, you can stay a step ahead.

Blog courtesy of Lookout. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program. Read more Lookout news and guest blogs here.