Hackers attack computer systems to steal information. Some of the most important types of information they can steal are access credentials like usernames/passwords or PINs.
Why is credential access dangerous? If a hacker steals credentials, they have full and legitimate access to a system that is much harder to notice and observe.
What Is Credential Access?
Credential access is the use of legitimate credentials to access system resources. Hackers use many techniques to steal user passwords, PINs, or even MFA factors to gain access to systems legitimately.
The danger of these attacks cannot be overstated. If a hacker has legitimate credentials, it becomes much harder to determine that an attack is underway. These credentials will give that hacker the keys to the car (at least so far as the privileges of the stolen credentials will permit) to do as they wish.
Types of Credential Theft
Credentials are, at their core, pieces of data. This means they can be stolen at several different points of use and transmission.
Some of the ways that hackers steal credentials include:
- Password Guessing/Cracking: One way to get user passwords is to simply break into an account by calculating luck. Guessing involves using randomized credentials or those built into a dictionary to force your way into an account. Cracking is similar but involves breaking password security (typically hacking or encryption) and getting into local user accounts.
- Man-in-the-Middle Attacks: If a hacker can inject themselves into network connections between two parties, and user credentials are transmitted on that connection, then it’s relatively easy for them to steal either encrypted or clear-text credentials (depending on how those credentials are sent). MiTM attacks can also contribute to social engineering attacks by rerouting users to fake websites to collect credentials.
- Social Engineering: Phishing is one of the most common forms of attack because it is, unfortunately, still very effective. Attackers can use fake emails or text messages to trick users into giving up credentials. In tandem with man-in-the-middle attacks, hackers can also drive users to websites that look like a login page for a legitimate service but serve as a collection mechanism for credentials.
- Credential Dumping: Dumping is breaking into a database or operating system and forcing the system to expose user credentials via exploits. Using exploits can be risky for hackers (alerting security experts to their presence), but the payoff can be enormous.
- Two-Factor Authentication (2FA) Interception: While multi-factor authentication is very secure, no security technique is 100% infallible. Clever hackers with the ability to steal or model 2FA factors like SAML tokens or physical media can feasibly use them to steal credentials.
- Forging: An even rarer occurrence, some hackers can forge authentication factors. It’s been shown that hackers can forge artifacts like card keys and even fingerprints with the right context and technology.
- Malware and Harvesting: If the hacker can get malware inside a less-secure system, they can use malware to install tools like network sniffers and keyloggers to harvest user information. Eventually, that user will type in their credentials. Then, the hackers only have to sift through the data and collect their rewards.
What Role Does Credential Access Play in Advanced Persistent Threats (APTs)?
Advanced Persistent Threat is a name used to refer to two entities:
- Long-term and highly sophisticated cyber attacks are used to steal data or collect ransom from prominent organizations and government agencies.
- Hacker groups that develop, launch, and monitor these threats, typically as part of state-sponsored cyber attacks.
So, for example, you may see a group like Cozy Bear (generally thought responsible for the SolarWinds Orion breach) and its associated tools collectively referred to as an APT.
An APT is “advanced” because they will use system access to propagate, hide, and monitor activity to spread their influence. One of the key stages of an APT lifecycle is the practice of “lateral movement,” or using credentials or exploits to move from one system to the next over network connections.
As might be expected, credential access is critical to the success of the lateral movement. In order to remain hidden, these threats must have legitimate credentials. Accordingly, such threats will implement several types of credential theft (network sniffing, credential dumping, harvesting, etc.) to collect as many user credentials as possible.
How Can I Prevent Unauthorized Credential Access?
The challenge with credential access is that it can happen through several (often concurrent) attacks. Addressing these attacks isn’t as straightforward as putting in two-factor authentication and calling it a day–it takes a culture of security and innovation to adopt the top techniques and technologies to find significant success.
These best practices include:
- Rotate Passwords Regularly: The longer a threat has access to legitimate credentials, the longer they can wreak havoc. By requiring regular password changes (once every 20, 60, or 90 days), you can reduce the impact a credential access attack has on system resources.
- Utilize Secure MFA: Using multi-factor authentication is an important step for any authentication security policy, but for sensitive data and mission-critical systems, it pays to implement more stringent security in the form of physical authentication media and identity assurance management (compliance with NIST IAL requirements).
- Monitor User Behavior Baselines: Advanced authentication and logging tools utilize AI and behavioral analytics to assess how users operate in a system. By analyzing patterns, these tools can determine if uncommon or risky behaviors are occurring that could signal that user accounts have been compromised.
- Adhere to the Principle of Least Privileges: No user account should have system privileges beyond the needs of their job description and their immediate tasks. Following the PoLP, your security systems should limit users’ access to system resources. Proper implementation can severely reduce a hacker’s ability to move laterally through the system.
- Utilize Advanced Authentication and Passwordless Security: By eliminating passwords, you can remove the need to pass credentials back and forth over networked connections. Furthermore, you can effectively remove the threat of many phishing attacks (the most common entry vector for APTs).
Combat Credential Access Attacks with 1Kosmos
The only real protection against these attacks is vigilance, which means utilizing policies and technologies that address gaps in authentication security. Understanding how users log into critical resources and preventing those user credentials from potentially exposing those system resources serves as the foundation for overall system security.
The answer is a solution that provides strong, passwordless authentication with easy onboarding and decentralized credential management. This solution should be easy to implement with any device, including identity verification features and several MFA authentication factors.
This solution is 1Kosmos BlockID.
Consider these critical features:
- SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
- Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification. Furthermore, the BlockID platform is compliant with NIST IAL2 requirements.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
- Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
- Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
- Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
- Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.
To learn about the next generation of contact-free authentication solutions powered by biometrics and blockchain technology, read more on Passwordless Enterprise solutions. Also, sign up for the email newsletter to stay current on 1Kosmos products and services.