Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Compromised Accounts Are Being Weaponized – Here’s How to Fight Back

Published 07/31/2023

Compromised Accounts Are Being Weaponized – Here’s How to Fight Back

Originally published by Code42.

Written by Christian Wimpelmann.

Compromised user accounts have always been the most significant — and simplest — cybersecurity risk in the enterprise. Stolen credentials were the vector of choice for more than 40% of attacks in 2022, according to Verizon’s 2022 Data Breach Investigations Report. User credentials also comprise 63% of stolen data — clearly showing that your organization isn’t the only one that understands its value.

After all, the easiest way to “get in” to a system or access valuable data or assets is to have the “key” provided by legitimate user credentials. But here’s the part that is alarming: The incidence of compromised credentials and compromised user accounts is on the rise.


Compromised credentials more common in post-pandemic era

According to Microsoft, attacks targeting passwords and user credentials rose by 74% in 2022, at the rate of 921 attacks per second. A stunning 75% of human-operated ransomware attacks were also executed with compromised user accounts that had elevated access. In fact, compromised credentials are now the most common source of cyberattack that organizations are facing.

What’s behind the rise in compromised accounts? Employees were the cause of 22% of data leaks — with 36% of those being performed by disgruntled employees. And as Verizon noted, one of the most popular data types for cybercriminals to gobble up is credentials. Most organizations are adjusting to the idea of a hybrid workforce, and have gone full steam ahead with policies around BYOD, cloud-based apps for productivity and sharing, and more. In the post-pandemic era, this all adds up to a much broader digital landscape — or threatscape. More accounts and more user credentials. More remote and off-network activity. All culminating in a heightened risk of a breach because identity security can’t keep up quickly enough. Take this stat, for example: only 40% of enterprises have either no MFA or weak MFA in place, leaving many devices and accounts unsecured.


Types of credential theft

There are countless varieties of attacks, schemes, and plots to harvest compromised credentials. But most can be broken into three categories:

  • Brute Force Attacks: A brute force attack entails the systematic checking or guessing of the password for a targeted account. The attacker generally uses sophisticated algorithms to test all possible combinations until the correct one is found. 51% of cybercriminals employ this simple method in their arsenal, due to its convenience and effectiveness in cracking weak cloud security.
  • Credential Stuffing: Thanks to increasing data breaches over the past several years, there are now immense troves of compromised credentials available for purchase on the dark web — often for pennies apiece. In a credential stuffing attack, a cyber criminal purchases compromised credentials — and then “stuffs” these credentials into login pages of systems, networks and apps until they stumble into a compromised user account. This is also referred to as credential recycling, as it essentially uses the compromised credentials stolen in a previous (typically brute force) attack. Cybersecurity Insiders reports that 34% of organizations suffered from credential stuffing attacks.
  • Social Engineering (Phishing): Even more common than guessing passwords or buying compromised credentials is using creative social engineering schemes like phishing to steal credentials. IBM reports that phishing was the main method of grabbing credentials in over 41% of organizations — with 62% of those attacks employing spear phishing. And to prove the point, the frequency of phishing attacks grew by 50% towards the end of 2022, with IBM highlighting that successful attacks exposed user credentials and cost an average $4.91 million in damages.


How can you prevent compromised credentials?


1. Move to passwordless and “phishing-resistant” auth.

The most effective way to reduce the risk of password theft is to stop using passwords as the primary authentication mechanism! Several Identity-as-a-service (IDaaS) vendors are now offering passwordless auth mechanisms that allow users to seamlessly log in to systems with their fingerprint or face recognition. Not only is this a more secure form of authentication it also reduces friction in that it’s an easier way to log in for your end users!


2. Implement a strong password policy.

If passwordless is not an option for your organization, another effective way to mitigate the risk of compromised credentials is simply to make the credentials themselves harder to compromise. That means developing and enforcing a strong password policy that requires all users to follow established best practices for creating — and regularly changing — strong passwords, as well as ensuring passwords are not reused across devices, apps, or other accounts.


3. Train your users.

Compromised credentials and compromised user accounts fall under the umbrella of insider risk, and insider risk is a people problem. One of the most effective ways to solve people’s problems is to talk to your people. Yet a third of workers say their organizations haven’t provided any additional cybersecurity training since the pandemic dramatically changed where, when, and how they work. Providing regular education around best practices for password management and things like how to recognize and avoid phishing schemes can go a long way.


4. Use a password manager.

One of the easiest ways to help your users maintain strong passwords is to use a password manager. These tools are ubiquitous and increasingly economical and user-friendly. But the two things to remember here are 1) make sure the password manager itself is secure and well-protected against hacking, and 2) make sure users take advantage of the auto-generate feature, available in just about every password manager today, that generates passwords (and remembers them) with much deeper complexity and randomness than a human ever could.


5. Use Multi-Factor Authentication (MFA).

MFA can easily stop an attacker dead in their tracks. They may have compromised credentials, but they almost certainly won’t have access to the secondary (or tertiary) form of identity verification (like a one-time passcode sent to the legitimate user’s mobile device). And organizations are beginning to treat MFA as a necessity, not luxury — Yubico reports that over 24% of enterprises are actively implementing next-gen phishing-resistant MFA that’s in-line with federal directives, while another 32% are considering it.


6. Focus on privileged accounts.

The ultimate goal of compromised credential attacks is to gain access to valuable data or assets, so it’s not surprising that high-ranking employees and others with privileged access are the biggest targets. The solution is two-fold: First, focus on auditing access privileges. Verizon’s report found that over 80% of employees abuse their level of access — a strong enough case to invoke the principle of least privilege. Second, step up access management protocols for your (now audited) privileged accounts. Microsoft points out that in 88% of ransomware attacks, MFA wasn’t implemented for sensitive and high privilege accounts, while Yubico’s report finds that only IT admins, their teams, and third-parties were sufficiently covered with MFA.


How to spot credential theft faster — before the damage is done

Like other forms of insider threat and insider risk, compromised credentials ultimately stem from human-factor issues: poor password hygiene, falling for phishing schemes, etc. The upside is that small changes can make significant impacts on human-factor risks; the downside is that humans will always be imperfect (and cyber criminals are incredibly efficient at exploiting user mistakes) so compromised user accounts can’t be entirely prevented. So, while investing time and budget in prevention is certainly worth it, it’s also critical to invest in strategies for detecting the anomalies and abnormalities that signal compromised accounts — and investigating and responding quickly and effectively.


Make sure you have endpoint visibility — remote, in the cloud, on and off the network

The first smoke signals of compromised credentials often come on users’ endpoint devices. So, security teams need to have endpoint visibility — extending to both on and off-network activity, since remote and flexible work models mean users are increasingly working off the VPN. If you haven’t already, automating endpoint inventory management is the first step to gaining that visibility. You should also have visibility into activity on the web and in the cloud since web- and cloud-hosted email is now the norm in many organizations.


Set a baseline for “normal” — so you can get a clear signal of real risk

If you can see all user and file activity, including on endpoints, on the web, and in the cloud, it’s much easier to answer the question, “What does normal look like?” This baseline helps you tune out the noise of everyday activity — all the file and data movement that defines the modern collaboration culture — and more quickly and accurately recognize when user behaviors fall outside of the norms. In short, when you start seeing users accessing, moving, renaming, or sharing files in ways or at times that don’t fit the pattern, you’ve got a high-fidelity signal of risk that you know requires an immediate closer look.


Accelerate your investigation and response — mitigate the damage

The same deep contextual visibility into all user and file activity is a powerful fuel to accelerate your investigation and response to potentially compromised user accounts. Security teams can rapidly dig into contextual information around file and data movement to identify which user accounts were impacted, which systems or assets were accessed, and what data or files were affected — right down to seeing when and where this valuable data moved. The thorough investigation drives a rapid, right-sized response — whether that’s locking down accounts or devices, taking proactive legal action to protect the company, or referring the incident to authorities for a response. Moreover, the immediate, deep, contextual visibility cuts the time from “detecting compromised credentials” to “neutralizing the threat,” helping to mitigate and minimize the damage from a successfully compromised user account.



About the Author

Christian leads Code42's IAM team, helping modernize the organization's environment away from a legacy on-prem stack (AD) to a fully cloud-hosted IAM solution.

Share this content on your favorite social network today!