Five lessons in credential theft

Credential theft is one of the most common methods cybercriminals use to successfully breach and manoeuvre within an organisation to steal valuable assets.

Stealing credentials is the oldest game in the book and it’s still one of the most effective for cybercriminals. Most breaches involve password theft at some stage of the attack lifecycle. According to the 2016 Verizon Data Breach Incident Report (DBIR), nearly two-thirds of the breaches analysed were, in some part, the result of stolen credentials.

Traditional approaches to stopping credential phishing are rudimentary, manual, limited, and rely primarily on educating employees and classifying a phishing site before someone encounters it.

If the organisation’s security products miss a new phishing site, the only recourse is hoping the user doesn’t enter their credentials. Password-only approaches to authentication are still common due to the traditional complexities of implementing multi-factor authentication, leaving many applications exposed to simple credential abuse-based access by attackers.

There are five lessons to learn when it comes to credential theft:

1. Nearly every breach uses stolen credentials

About 63 per cent of breaches used stolen credentials with a 90 per cent phishing rate. Only three per cent of people are contacted by their security team about the attacks.*

2. General purpose phishing is not targeted phishing

The attackers that are out to breach an organisation are using more discretion to avoid detection and more sophistication than what’s commonly seen in consumer phishing.

3. Attackers use stolen credentials to access and roam the network

They often steal additional credentials, to finally get to the network resources they are interested in. Typically, such access will go completely unnoticed, because it does not trigger events that would alert administrators to investigate further.

4. It’s hard to stop phishing by just detecting and blocking

Traditionally, organisations filter email and hope users avoid clicking suspicious links that slip through. Attackers are finding new ways to circumvent filtering like social media messaging or SMS.

5. Passwords are still a problem as they tend to be weak

However, it’s also extremely hard for organisations to implement alternatives to passwords at scale, making it very difficult to eliminate passwords.

Despite the problem being well known, businesses are struggling to prevent credential theft and abuse. It’s important for organisations to get on top of this to avoid losing valuable company information, which could seriously jeopardise company operations.

It’s important businesses realise the risk of credential theft is very real and needs to be carefully managed. Prevention is the key to achieving this.

* Verizon 2016 Data Breach Investigation Report: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

Brian Tokuyoshi, senior solutions analyst, Palo Alto Networks