How many user accounts do you have? Emails, social media, online shopping, streaming services—and that doesn’t even begin to account for professional logins. By the time you add them all up, it’s likely one hundred or more unique accounts.
According to NordPass, the average user maintains an average of 168 logins for personal purposes, and no less than 87 for the workplace. This is an extraordinary amount to keep safe, and threat actors realize that it’s only a matter of time before users make a wrong move and enter those credentials somewhere they’re not supposed to. And this is why, inevitably, they manage to swipe a pair (or two) and sneak into an undisclosed network.
When those instances occur, and a team is effectively dealing with a rogue insider threat (even though the insider is nothing more than a threat actor who’s compromised a legitimate account), organizations can be prepared to handle that exact circumstance. Solutions like penetration testing and red teaming help security teams see what an attacker sees, look for what they would look for, and shore up those weaknesses that they would otherwise exploit.
In that spirit, here are a few tips to proactively harden your environment against compromised credentials.
Compromised Credentials: What’s At Stake
In a word: everything. Credentials might not be the “keys to the kingdom,” but they can certainly help to unlock the door. Once compromised, cybercriminals can walk through the front door both easily and undetected, wreaking as much havoc as a malicious insider – maybe more.
Not only can attackers access everything your employees can, but what’s worse, they can do it without being noticed. Since they got in (and are snooping around) on a legitimate account, a lot of security solutions won’t flag their nosy deeds until much further down the line (probably when it’s too late). If the attacker is accessing things that user is “supposed to access,” there’s no anomaly and no clock on the dwell time.
They could even exfiltrate sensitive data (to which the user has legitimate access) and make a clean escape. So, in other words, compromised credentials give cybercriminals something of a “license to do evil,” making their subsequent actions all the more dangerous.
Pen Testing vs. Compromised Credentials
Granted, when we think of “stolen passwords,” we may not immediately think of penetration testing as an intuitive source of defense. But maybe we should.
Credentials get stolen because there is a chink in the armor. Some weakness went undiscovered and was eventually exploited by attackers. Pen testing can help identify weak or compromised credentials, as well as weak authentication (e.g., lack of MFA, or other brute force protection mechanisms). This helps prevent ransomware attacks, password spraying, and other exploits that target low-hanging fruit.
For example, pen testers can simulate tactics such as credential stuffing, a common attack type targeting reused passwords. By injecting credentials swiped in a breach on one system into a login for another system, many pen testers (and more nefariously, threat actors) gain access to multiple accounts. This happens when the user has used the same username, password, or both on more than one occasion, which is why it is important to utilize a password manager that can generate strong, distinct passwords for every new site – and keep track of them all.
Additionally, pen testing can help provide insight into what could happen after credentials are stolen. These internal pen tests can demonstrate how threat actors can find and exploit vulnerabilities within a system, like outdated software, misconfigurations, or weak access controls. For example, an internal pen tester with basic credentials could exploit unpatched software to gain access to escalate their privileges and gain access to sensitive data. Since the perimeter is never impenetrable, these tests can help organizations close gaps internally to ensure that a breach causes limited damage.
Red Teaming vs. Compromised Credentials
Red Team engagements put your enterprise to the test in other ways, essentially testing everything to give your detection and response strategy a comprehensive shake-down. Red Teaming helps ensure that a team can detect, contain, and respond effectively to threats. The findings can inform the improvement of security policies and procedures, including the Blue Team’s detection and response.
- Why is this beneficial to keeping credentials safe? For the same reason. These are some of the tactics an adversary would employ to pilfer your passwords in the first place:
- Social engineering | Tricking users into giving away valuable information by gaining their trust, intimidating them, or otherwise outwitting them online, getting them to act of their own accord in data-compromising scenarios.
- Brute force attempts | Guessing (often methodically, using a tool) every possible combination of a credential until finally getting it right.
- Cross-site scripting (XSS) attacks | When a threat actor inserts a malicious client-side script into a web page which will execute when the user loads the site.
- Malware | A hazardous program designed to contaminate a network, file, or application, often with the intent to exfiltrate data or compromise a system.
- Password cracking | Using a specially designed application to decipher a password, either to recover it or allow an unauthorized party to discover it.
Red team engagements can also provide “assumed breach” scenarios to focus on post-exploitation activities. While pen tests have a limited scope to fully document the weaknesses within a single system or network, red teaming is more goal focused, allowing them to demonstrate how an attacker could potentially gain full control. These scenarios can often reveal misconfigurations in internal systems, weak access controls between network segments, or blind spots in security monitoring. The trick is to “hack yourself” first to test how well your security team identifies the infiltration and whether response measures are effective so when cybercriminals come along, they won’t be able to linger long enough to do real damage.
Fortra Pen Testing, Red Teaming, and More
Fortra offers a comprehensive suite of offensive security tools and services for getting the job done and keeping your credentials safe. It includes:
- Penetration Testing | Exploit the top vulnerabilities on your list and see if they’re that big of a problem – or if they’re worse.
- Core Impact penetration testing software uses accessible automations to enable security teams to efficiently conduct advanced penetration tests.
- The Core Security Services team (SCS) delivers expert security assessments, penetration tests, and red teaming exercises to help proactively improve your security stance.
- Red Teaming | Put everything else in your enterprise to the test – your network, integrations, EDR and XDR tools, employees, and even your SOC.
- Cobalt Strike software replicates the techniques of advanced attackers in your environment.
- Outflank Security Tooling (OST) is a set of evasive attack simulation solutions made “by Red Teamers, for Red Teams,” some of which are too potent for public release.
- In addition to Core Security Services, Outflank also offers red teaming services to manage your entire red team engagement using their years of offensive security experience, research, and deep knowledge of offensive security techniques and tooling.
- Network and Application Security Tools | Find code weaknesses that could be used to leverage further entry.
- BeSTORM is a DAST solution that determines weaknesses in a product’s security after it has rolled off the line, without access to its source code, to catch threats only found in a dynamic application.
The more you test your defenses, the more you’ll find mistakes – but don’t worry, that’s the whole point. Many practitioners prefer to stick their heads in the sand and not test because they’re afraid of what they might see (and how it will make them look to higher-ups). Or they’re afraid that they’ll find too many errors and not know where to begin.
Source: https://www.fortra.com/blog/how-proactively-harden-your-environment-against-compromised-credentials