Protecting your credentials is one of the most important things you can do to defend yourself from ransomware and other cyberattacks. There are thousands of articles on password managers, best practices, and multi-factor authentication. Network domains, SaaS applications, and other systems often require complex passwords in the credential set, and even the most basic computer user has been told not to share passwords. So, why are we still talking about this topic?
Threat actors value credentials more than any other data type, including personal data such as Social Security numbers. Stolen credentials can lead to system intrusion, data exfiltration, malware infection, and many types of fraud. The same report finds that 80% of all basic web application attacks and at least 60% of all ransomware attacks rely on stolen credentials or brute force attacks. Credential stuffing attacks are a factor in 23% of security incidents in the organizations monitored for the report.
The most dangerous stolen credentials are those that remain active after they have been stolen. Attackers want to log into the targeted system as authenticated users. This allows them to traverse the systems as an authorized user and often extends the length of time they can hide from intrusion detection.
Ways credentials are used in cyberattacks
Obsolete credentials may be less valuable, but there are still several ways for attackers to use old login information. This is underscored by the fact that stolen data is almost always sold to other attackers, and larger data sets are often sold at higher prices. Here are a few different ways that credentials are used in cyberattacks:
Unauthorized access: The most obvious use of a credential set is the one mentioned above. Criminals use login information to access a system and proceed with the attack.
Credential stuffing: This is an automated attack that attempts to log into web applications by rotating through sets of stolen credentials. It doesn’t matter if the credentials are current or outdated, because the credential set is being used on many different web applications.
It may help to think of your user ID and password as a single physical key to a locked door. Imagine a criminal with a bag of keys just like yours, trying each one on the door to see if he can get in. The door could lead to a bank, retailer, healthcare portal, HVAC management system, or any other online service. If the key works, then he’ll have access to everything your key will open. If the key doesn’t work, it really doesn’t matter to him. He has millions of keys and an army of bots using them on many different doors at the same time.
Brute force: Many people compare this attack to using a battering ram on a door, but I find it more akin to picking a lock. A brute force attack attempts to log into a system by pairing a username with an automated attempt to discover a password by “systematically trying every possible combination of letters, numbers, and symbols” until the attack is successful. Most of these attacks start with wordlists, common passwords, and smart rulesets before attempting to construct the password using all possible combinations. Given enough time, all brute force attacks will work. If the passwords are complex and not already in a wordlist, a brute force attack could take years to finally guess the correct password.
How to defend against these types of attacks
Although there are significant awareness and enforcement efforts around password security, businesses are still falling victim to attacks that start with weak or exposed credentials. Protecting your credentials must be a priority in your security plan. One simple step that you can take right now is to check your inboxes for latent threats. Our free Email Threat Scanner identifies malicious emails that have made it through your security and put your company at risk. The threat scan is fast and safe, and there is no impact on email performance. Contact us today at 502.262.2993 for details on how we can immediately identify malicious emails to prevent attack on your business.