Protecting your credentials is one of the most important things you can do to defend yourself from ransomware and other cyberattacks. There are thousands of articles on password managers, best practices, and multi-factor authentication. Network domains, SaaS applications, and other systems often require complex passwords in the credential set, and even the most basic computer user has been told not to share passwords. So, why are we still talking about this topic?
The 2021 Verizon Data Breach Investigations Report (DBIR) reveals that threat actors value credentials more than any other data type, including personal data such as Social Security numbers. Stolen credentials can lead to system intrusion, data exfiltration, malware infection, and many types of fraud. The same report finds that 80% of all basic web application attacks and at least 60% of all ransomware attacks rely on stolen credentials or brute force attacks. Credential stuffing attacks are a factor in 23% of security incidents in the organizations monitored for the report.
The most dangerous stolen credentials are those that remain active after they have been stolen. Attackers want to log into the targeted system as authenticated users. This allows them to traverse the systems as an authorized user and often extends the length of time they can hide from intrusion detection. Current credentials are especially important to nation-state actors and big-game hunters.
Ways credentials are used in cyberattacks
Obsolete credentials may be less valuable, but there are still several ways for attackers to use old login information. This is underscored by the fact that stolen data is almost always sold to other attackers, and larger data sets are often sold at higher prices. Here are a few different ways that credentials are used in cyberattacks:
Unauthorized access: The most obvious use of a credential set is the one mentioned above. Criminals use login information to access a system and proceed with the attack.
Credential stuffing: This is an automated attack that attempts to log into web applications by rotating through sets of stolen credentials. It doesn’t matter if the credentials are current or outdated, because the credential set is being used on many different web applications.
It may help to think of your user ID and password as a single physical key to a locked door. Imagine a criminal with a bag of keys just like yours, trying each one on the door to see if he can get in. The door could lead to a bank, retailer, healthcare portal, HVAC management system, or any other online service. If the key works, then he’ll have access to everything your key will open. If the key doesn’t work, it really doesn’t matter to him. He has millions of keys and an army of bots using them on many different doors at the same time.
Multiple surveys reveal that passwords are often reused and shared, which means there’s a fair chance that some of those stolen credentials will work on more than one system. Credential stuffing is a very common attack.
Password spraying: This attack is like credential stuffing, but it rotates through a list of user accounts paired with the same password for all. In our handy criminal-door-key scenario, the key represents a single password rather than a complete credential set. Once the criminal has tried one key on all the doors, he returns to the first house with a different key. This is most effective on systems that use default passwords, like routers, CCTV cameras, and other smart devices. This attack is a good example of why criminals value a verified username, even without a password attached.
Brute force: Many people compare this attack to using a battering ram on a door, but I find it more akin to picking a lock. A brute force attack attempts to log into a system by pairing a username with an automated attempt to discover a password by “systematically trying every possible combination of letters, numbers, and symbols” until the attack is successful. Most of these attacks start with wordlists, common passwords, and smart rulesets before attempting to construct the password using all possible combinations. Given enough time, all brute force attacks will work. If the passwords are complex and not already in a wordlist, a brute force attack could take years to finally guess the correct password.
How to defend against these types of attacks
Although there are significant awareness and enforcement efforts around password security, businesses are still falling victim to attacks that start with weak or exposed credentials. Protecting your credentials must be a priority in your security plan. Implementing best practices in password management is an important first step, but it’s not enough. Companies should deploy inbox defense that protects users from phishing attempts and implement security awareness training that teaches end-users about phishing and other email attacks. Deploying the right application and edge security will also protect your business from ‘credential guessing’ attacks.
One simple step that you can take right now is to check your inboxes for latent threats. The free Barracuda Email Threat Scanner identifies malicious emails that have made it through your security and put your company at risk. The threat scan is fast and safe, and there is no impact on email performance. Get started here.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.