Justin Sylvester Shares Knowledge With SPECOPS on Corporate Account Takeover Attacks and Prevention
Identity theft comes in many forms, one being corporate account takeover. Corporate account takeover attacks occur when an unauthorized entity steals and assumes a user's digital identity to perform activities on behalf of that user. The stolen identity of a trusted account makes compromise difficult to detect, thereby delaying response times.
Attackers that assume a trusted identity also inherit that trusted identity's authorizations. This exposes the sensitive information that the compromised identity has access to while facilitating the opportunity to escalate privileges and move throughout the compromised employee's environment.
Corporate Account Takeover Attacks
Often, bad actors use these tactics to establish an initial foothold in their target environment. By taking over an account, the attacker can act as that user, and they can then access the same sensitive information as the compromised account, pivot to other systems, and elevate privileges.
Each attack discussed within this article has something in common; they all exploit habitual human behavior and decision-making.
In the SPECOPS article, Justin asks, "Have you ever received a phone call where you knew the individual on the other end was not authentic? How about an email with an attachment or link that was illegitimate? If you cannot answer, "yes" to the proceeding questions, you've likely fallen victim to social engineering. This human-based attack vector exploits decision-making by influencing a person to act in a specific way. These attacks require less time and effort than exploiting system vulnerabilities."
Many organizations are focused on preventing the exploitation of software flaws and misconfigurations within their technical infrastructure. What about outside the scope of technology? What about the trusted workforce?
One social engineering technique used by cyber adversaries is Phishing. An attacker attempts to acquire sensitive information (e.g., user credentials) using fraudulent email communications that appear to originate from an authentic source. Attackers use phishing on unsuspecting victims using creative methods to disguise themselves.
Targeted phishing attacks have become commonplace with the advent of social media. With the enormous amount of public information on social media platforms, attackers can customize phishing attempts to the victim's interests and emotions, increasing the likelihood of exploitation success. Spear phishing functions are highly effective for the attacker. These attacks are custom tailored to the victim, and the attacker relies on the victim's interests and emotions to bate the victim into providing sensitive information or executing malicious code.
Have you ever Googled yourself? Can you see your password on your personal social media account? The "About" section of your Facebook page?
People tend to create passwords that are easy for them to remember. Favorite sport, a pet's name, and maiden name are a few common examples of what people use to model their passwords.
An individual or company's complex passwords can be insecure, as people often reuse the same password on multiple platforms. It only takes one of them to be compromised, and if the individual's password is obtained, it will more likely than not be used to authenticate elsewhere. Single-factor password-based authentication is risky and weak.
Brute Force Attacks
Brute force password attacks go through the process of guessing all possible combinations attempt to uncover a password. The time and effort to crack a password depends on the password's predictability, complexity, and the resources (e.g., computing power) the attacker has at his disposal. Malicious doers often gather preliminary intelligence on their targets using public sources (e.g., social media accounts, business websites) to develop a list of keywords. The attacker then uses password cracking tools to automate guessing attempts based on the list of keywords.
As previously stated, people often use the same password across multiple platforms. This is dangerous!
Cyber breaches have become widespread. "Credential Stuffing attacks use the information obtained from previous breaches to inject username and password combinations to gain access to a target's account."
It's essential to note that there is no "absolute security." There will always be a residual risk. Read on to discover some routine mitigations that reduce the likelihood and impact of a compromise:
The Principle of Least-Privilege
It should be assumed that compromise is imminent in today's threat landscape, and present reality demands that companies focus on limiting the impact of cyber incidents. One way to lessen this impact is to prioritize the principle of least-privilege. With least-privilege, a user will only be awarded the access needed to complete assigned tasks and nothing else. "Never trust, always verify" is the vision of a Zero Trust Architecture.
With corporate account takeover, an organization implementing the least-privilege principle will limit the authorizations awarded to a successful attacker.
Awareness & Training
Attackers thrive on ordinary human behavior. A few examples of typical habitual user behavior are listed below:
- Reusing the same password for multiple (or all) accounts
- Storing passwords in unencrypted digital documents or writing passwords down
- Clicking links without verifying the email's sender and the link's authenticity
- Willingness to help others in need.
Ongoing awareness and training programs are critical in helping employees learn the techniques used by modern threat actors.
When it comes to passwords, training is essential but can only go so far. A breached password detection service can help to find and prevent leaked passwords. See how many Active Directory accounts use pwned passwords with Specops Password Auditor.
Justin continues to explain the Defense-in-Depth strategy, "[This] applies security countermeasures using a layered approach. The focus is to stack protections that mitigate attacks not caught by a previous line of defense. An organization that enforces Multi-Factor Authentication reduces the risk of credential compromise by layering the protection provided by a single-factor password (something you know) with an additional factor (e.g., something you have). If an employee's credentials are compromised, the second authentication factor prevents the adversary from using the credentials because they do not have access to both authentication factors."
What Can You Do?
Solid security processes, employee awareness, and training can reduce the likelihood of attacker success. Nonetheless, it is always best to assume that a breach will happen, so the additional focus should be on limiting the impact using a combination of least privilege implementation and a defense-in-depth strategy.
Original Version Written By: Justin Sylvester
Justin is a thought leader within the cybersecurity community and has written several articles and presentations on gaining visibility into organization and enterprise-wide vulnerabilities.
Justin is a driving force of innovation for SecureStrux and the principal developer of the PowerStrux suite of auditing tools. PowerStrux Suite is a collection of analytic toolsets that leverage the Windows PowerShell (Windows) and PowerShell Core (Linux) scripting languages to ingest, parse, and report on system events.