Identity Breaches in 2024 – An Ounce of Hygiene is Worth a Pound of Technology
Published 11/01/2024
Originally published by Pentera.
Identity is a key to open a door
Who are you? Yes, you reading. Who are you?
There’s probably a lot of ways you can answer that question, and that is because there are a lot of attributes that make up your identity. Let’s keep things simple because that’s what’s easy: name, date of birth, address, and phone number. These are data points you may find on a driver’s license or an online profile. Your identity is not limited to those examples, however. Your identity can also be associated with the hobbies you partake in, your profession, and your social media tags.
Your digital identity is actually a multitude of data points, and it’s these data points that are making you, as well as the individuals that you do business with, a target. “Jay, this is old news” …. But is it? It’s not. Not when there are still large scale identity attacks happening in July of 2024. The news of Snowflake and affected customers such as Ticketmaster, Santander, and Advance Auto Parts proves this. The new RockYou2024 leaked password list also exposes a record amount of identities. But whose responsibility is it to secure these identities, and can identity based intrusions be prevented?
Exposed credentials are still an attacker’s best friend
Credentials are still used nefariously to compromise the confidentiality, integrity and availability of data. The Verizon 2024 Data Breach Investigations Report states that “over the past 10 years, stolen credentials have appeared in almost one-third (31%) of breaches.”1 While there have been initiatives to move in a “passwordless” direction, I have yet to see wide scale adoption. Furthermore, any technology or process/procedure that does not adhere to passwordless methods or single sign-on will become an outlier. So where are these passwords being obtained? If we consider how the attacker will behave, we get an answer to the question.
Lazy, but successful attackers
Attackers are human, that means – they are lazy. As details continue to emerge about the exposed identity from the aforementioned breaches, we realize it’s something we’ve seen before. Here’s the lazy attacker’s playbook, directly from the subway graffiti walls.
First, consider the identities and personas in your environment. You have regular employees, but I’m sure there may be others. Oftentimes we are also doing work with temporary identities or third party contractors. They are necessary for the business, but they still could be increasing our risk footprint.
An attacker’s first move is reconnaissance, and part of that includes surveying the behavior of regular employees as well as business partners. This can be done in a few ways. Just think about how many of you are on LinkedIn. It’s completely understandable why many of you reading may hide your LinkedIn profile. You are making public which company you work for, as well as what your role is. Information can then be inferred, such as privileges and potential access.
There are also nefarious ways of obtaining identities, for cheap. IBM “X-Force noted a 266% increase in infostealer-related activity in 2023 compared to 2022”2. These infostealers get onto machines via various means. Not that any of your fellow coworkers have ever clicked on a phishing link, but they might get sunk visiting a compromised website.
Regardless of the vector, the infostealer is able to harvest information such as credentials. This information is then put up for sale, for tens of dollars, not even hundreds or thousands. In the case of the previously mentioned RockYou2024 password list disclosure, the cost is 0. The credentials are so easily accessible for whoever is interested in taking them.
The ease and proliferation of stealing data creates a new risk for CISOs to consider: how can I enforce what my employees or contractors do on personal devices? Is it worth just issuing a company device that I control? Perhaps it’s inevitable.
Second, attackers will then use these credentials where they can across attack surfaces. Naturally, whatever is internet facing comes to mind, but the Snowflake and affected company examples show us that stolen credentials may also be leveraged to access cloud service partners. This gets especially dangerous if Multifactor Authentication (MFA) is not enabled on accounts. There may be business justifications for why MFA is not enabled but make no mistake: it increases the risk footprint. This begs the question: Whose responsibility is enforcing MFA? Snowflake had previously not enforced MFA on accounts, as this was the end user’s responsibility. It’s very easy to point the finger at Snowflake, but shouldn’t ALL accounts be protected with MFA if they are important or accessing sensitive data? I think most would argue yes.
Third, to get access using a trusted identity, attackers will start acting on objectives. This is where things get a little fuzzy. The “acting on objectives” stage can be very subjective, depending on the motivations of the threat actor and the goal. For Initial Access Brokers, cyber criminals who specialize in breaching networks, their objective is clear; they’ll sell this initial access to another threat actor. For a separate threat actor, they may want to move laterally, and gather deeper access or escalate privileges. We would want to assume that by this point our defensive controls would have kicked into gear to prevent this.
Basic Hygiene and Advanced Hygiene
Most of us brush our teeth daily (I hope!!). However, admittedly one area of dental hygiene that I was lazy in, was flossing. Well, a little extra daily flossing prevents periodontal disease, which many of us suffer from. There’s also advanced hygiene treatments now that we can partake in whenever we visit the dentist. Our cyber hygiene is no different. So what are the “low hanging fruits” that entails maintaining just a basic level of cyber hygiene to our environment?
- Monitor, collect, and test credentials that are exposed externally
- Given the increase in infostealers and how they are used to gather credentials,we need to leverage threat intelligence to find exactly what credentials are already out there.
- With an understanding of identities, including exposed and privileged, we can run tests to understand the extent of compromise and risk exposure.
- What would the attacker have access to with certain credentials?
- What is the blast radius?
- Is MFA enforced?
- Audit Active Directory and cloud configurations for privileges and use of MFA
- Understand identity structure generally both for on prem environments and the cloud/cloud services
- Implement password hygiene and rotate credentials
- Implement MFA wherever possible
- This is its own step. This may be a very manual effort, but the risk reduction is massive. Make sure there are no accounts that authenticate only on username and password
- Test continuously
- As our environments change, we need to make this a repeatable process. We should not assume what we did in the past covers us today in the present. Otherwise our future may be bleak.
There’s a bright side to all of this: The recent news does not involve any complex, advanced methods of attack using credentials. Sure, credentials are still a risk, but a little bit of identity hygiene will go a long way in protecting access not just to cloud data, but across our environment. This is preventable. This is a basic “brushing our teeth” technique that requires discipline, but makes us more resilient in the long run.
The new take? Validate that this hygienic approach works. Automation can enhance even what seems like “advanced hygiene”. Once I got used to flossing, it became second nature. I needed to take that first step and create good hygiene habits. Integrating security validation and testing/profiling identities does not have to be a long drawn out process. It will become second nature with the right tools. In short order you’ll be taking preventative measures to what otherwise may have been “easy wins” for attackers. An ounce of hygiene is worth a pound of technology.
Validate, remediate, repeat. This is the way.
Related Articles:
The Service Accounts Guide Part 1: Origin, Types, Pitfalls and Fixes
Published: 12/10/2024
Strengthening Cybersecurity with a Resilient Incident Response Plan
Published: 12/10/2024
Microsoft Power Pages: Data Exposure Reviewed
Published: 12/09/2024
Systems Analysis for Zero Trust: Understand How Your System Operates
Published: 12/05/2024