Why is this the path of least resistance? And how can we better protect this attack vector?
The path of least resistance
To the first question, excuses vary. Some say it’s a security training issue; others regard it as a “personal security hygiene” issue for employees. Still, others consider it an IT problem rather than ops (or vice versa). Moreover, sometimes senior leaders are permitted special password policy exceptions — even though they’re the most sought-after targets. The bottom line: no one wants to take responsibility for credential theft. And this patchwork of responses and philosophies offers attackers massive gaps to exploit via social engineering, like simple phishing, or other means, to acquire legitimate credentials to access a network, then move laterally to find and extract the information they want. This is exponentially easier than deploying a zero-day remote code execution (RCE), a vector existing tools can identify readily. We live in a world of ignored credential proliferation, and we’re paying the price. The 2020 Verizon Data Breach Investigation Report claims that over 80% of hacking-related data breaches involve brute force or the use of lost, stolen or compromised passwords. The FBI reported in 2020 that 41% of attacks in the financial sector involved credential-stuffing. Crowdstrike’s 2020 Global Threat Report reveals that most attacks don’t involve any malware and identified credential dumping as one of the most prevalent alternative attacks used. These attacks are challenging to identify and intercept reliably using vulnerability scanners, endpoint detections, SOAR, SIEM, BAS tools or most manual penetration tests. In a world where 61% of companies have over 500 accounts with non-expiring passwords and where 10 billion account details, along with 600 million passwords, are available online due to known breaches, it is clear that credential-based attacks are a favorite for malicious actors. Why? Quite simply, they’re easy to get and difficult to identify as a threat. So, what do we do to protect against this attack vector?
Vulnerable does not equal exploitable
I always say, “The hardest part of cybersecurity is knowing what not to do.” The key to this statement is an understanding that vulnerable does not equal exploitable. Security teams need to be able to identify the vulnerabilities that present the most risk. Scanners and other tools reveal an overwhelming number of vulnerabilities — more than can be patched by even the most active security team working around the clock. The key instead is to focus on those attack vectors relevant to an attacker. By focusing on the changing techniques an attacker uses with harvested credentials, technical misconfigurations and exploitable software vulnerabilities regardless of CVSS score, teams can evaluate attack vectors with operational context based on the adversary’s perspective. This approach allows security teams to identify vulnerabilities that are actual threats. You might be surprised to hear that the vast majority of vulnerabilities are unexploitable. According to Kenna, only 2.7% of identified vulnerabilities are exploitable, and only 0.4% of those have actually been exploited. Of course, the impact of those breaches can be massive. That’s why it’s crucial to focus on those areas that are operationally relevant to attackers themselves. While software vulnerabilities subsume most of the conversation in information security, only a tiny percentage of breaches ever leverage them, peaking at just 5% of breaches in 2017. More recent numbers indicate a rate reaching half that number. Traditional approaches of using agent-based vulnerability scanners and simplistic portscans produce far too much noise, diverting attention from the truly dangerous, exploitable issues that represent a provable risk to your organization. To defend against these threats, it’s necessary to take a proactive security posture that includes a continuous assessment from the attacker’s perspective. Otherwise, your organization will always play catch-up, patching shadow threats that represent no real risk instead of getting a step ahead of malicious actors by analyzing threats from their perspective.