Hackers attack computer systems to steal information. Some of the most important types of information they can steal are access credentials like usernames/passwords or PINs.
If a hacker steals credentials, they have full and legitimate access to a system that is much harder to notice and observe.
What is credential access?
Credential access is the use of legitimate credentials to access system resources. Hackers use many techniques to steal user passwords, PINs, or even MFA factors to gain access to systems legitimately.
The danger of these attacks cannot be overstated. If a hacker has legitimate credentials, it becomes much harder to determine that an attack is underway. These credentials give that hacker the keys to the car (at least so far as the privileges of the stolen credentials permit) to do as they wish.
Types of credential theft
Credentials are pieces of data, which means they can be stolen at several different points of use and transmission.
Hackers steal credentials through:
Password guessing/cracking: One way to get user passwords is to break into an account by calculating luck. Guessing uses randomized credentials or those built into a dictionary to force access into an account. Cracking involves breaking password security (typically hacking or encryption) and getting into local user accounts.
Man-in-the-middle attacks: If a hacker can inject themselves into network connections between two parties, and user credentials are transmitted on that connection, it's relatively easy for them to steal either encrypted or clear-text credentials (depending on how those credentials are sent). MiTM attacks can also contribute to social engineering attacks by rerouting users to fake websites to collect credentials.
Social engineering: Phishing is one of the most common forms of attack. Attackers use fake emails or text messages to trick users into giving up credentials. In tandem with man-in-the-middle attacks, hackers can also drive users to websites that look like a login page for a legitimate service but serve as a collection mechanism for credentials.
Credential dumping: Dumping is breaking into a database or operating system and forcing the system to expose user credentials via exploits. Using exploits can be risky for hackers (alerting security experts to their presence), but the payoff can be enormous.
Two-factor authentication (2FA) interception: While multi-factor authentication is very secure, no security technique is 100% infallible. Clever hackers with the ability to steal or model 2FA factors like SAML tokens or physical media can feasibly use them to steal credentials.
Forging: Some hackers can forge authentication factors. Hackers can forge artifacts like card keys and even fingerprints with the right context and technology.
Malware and harvesting: If the hacker can get malware inside a less-secure system, they can use malware to install tools like network sniffers and keyloggers to harvest user information. Eventually, that user will type in their credentials. Then, the hackers only have to sift through the data and collect their rewards.
What role does credential access play in advanced persistent threats (APTs)?
Advanced Persistent Threat is a name used to refer to two entities:
Long-term and highly sophisticated cyber attacks used to steal data or collect ransom from prominent organizations and government agencies.
Hacker groups that develop, launch, and monitor these threats, typically as part of state-sponsored cyber attacks.
A group like Cozy Bear (generally thought responsible for the SolarWinds Orion breach) and its associated tools may collectively be referred to as an APT.
An APT is "advanced" because they use system access to propagate, hide, and monitor activity to spread their influence. One of the key stages of an APT lifecycle is "lateral movement," or using credentials or exploits to move from one system to the next over network connections.
Credential access is critical to the success of lateral movement. To remain hidden, these threats must have legitimate credentials. Such threats implement several types of credential theft (network sniffing, credential dumping, harvesting) to collect as many user credentials as possible.
How to prevent unauthorized credential access
Credential access can happen through several (often concurrent) attacks. Addressing these attacks takes a culture of security and innovation to adopt the top techniques and technologies to find significant success.
Best practices include:
Rotate passwords regularly: The longer a threat has access to legitimate credentials, the longer they can wreak havoc. Requiring regular password changes (once every 20, 60, or 90 days) reduces the impact a credential access attack has on system resources.
Utilize secure MFA: Using multi-factor authentication is an important step for any authentication security policy, but for sensitive data and mission-critical systems, implement more stringent security in the form of physical authentication media and identity assurance management (compliance with NIST IAL requirements).
Monitor user behavior baselines: Advanced authentication and logging tools utilize AI and behavioral analytics to assess how users operate in a system. By analyzing patterns, these tools can determine if uncommon or risky behaviors are occurring that could signal that user accounts have been compromised.
Adhere to the principle of least privileges: No user account should have system privileges beyond the needs of their job description and their immediate tasks. Following the PoLP, your security systems should limit users' access to system resources. Proper implementation can severely reduce a hacker's ability to move laterally through the system.
Utilize advanced authentication and passwordless security: By eliminating passwords, you can remove the need to pass credentials back and forth over networked connections. You can effectively remove the threat of many phishing attacks (the most common entry vector for APTs).
Credential access defense with 1Kosmos
The only real protection against these attacks is vigilance, which means utilizing policies and technologies that address gaps in authentication security. Understanding how users log into critical resources and preventing those user credentials from potentially exposing those system resources serves as the foundation for overall system security.
1Kosmos provides strong, passwordless authentication with easy onboarding and decentralized credential management. The solution is easy to implement with any device, including identity verification features and several MFA authentication factors.
SIM binding: The 1Kosmos application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee's phone.
Identity-based authentication: 1Kosmos uses biometrics to identify individuals through credential triangulation and identity verification. The 1Kosmos platform is compliant with NIST IAL2 requirements.
Cloud-native architecture: Flexible and scalable cloud architecture makes it simple to build applications using standard API and SDK.
Identity proofing: 1Kosmos verifies identity anywhere, anytime and on any device with over 99% accuracy.
Privacy by design: 1Kosmos protects personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
Private and permissioned blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
Interoperability: 1Kosmos can readily integrate with existing infrastructure through 50+ out-of-the-box integrations or via API/SDK.
