Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 
Last events

GLOBAL SECURITY MAG

    











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Fighting credential theft with automation The answer to the CISOs puzzle

November 2022 by Jérôme BEAUFILS, dirigeant de la société SASETY

More than 24 billion stolen credentials are available on the Internet and the Dark Web. Their exploitation by cybercriminal groups represents the first attack vector, far ahead of phishing and vulnerabilities exploits. By using these credentials, attackers take control of user accounts and expose organizations to breaches, ransomware, and data theft.

 

 

Although CISOs are aware of this threat and often have tools to reduce this risk, daily news show that their application is largely insufficient. A structured and continuous approach reduces risk exposure, but it is too much of a burden for often limited security teams. Automating the detection and identification of real risks to the organization is the only appropriate response to cyber threat dynamics.

 

Nature of risk

 

80% of web application violations involve compromised identities. Attackers use techniques like social engineering, brute force, and buying credentials on the dark web to compromise identities and gain access to organizations’ resources.

 

They often take advantage of the following weaknesses:

Same password between multiple applications

Same password between personal and business applications

Passwords stored in browsers

Password reuse or long lifespan

Unused identifiers (employees who have left the company, service providers, service accounts, etc.)

Passwords shared between different users

 

The main challenge for the organization is that attackers only need one valid ID to break in.

 

Risk mitigation

 

To reduce their risk exposure, organizations need to focus on what is exploitable from the attackers’ perspective.

 

An effective methodology is based on the following steps:

Collect stolen credentials

 

To start fixing the problem, security teams need to collect data on credentials that have been stolen from various locations on the web and on the dark web. Tools like HaveIBeenPwned or the Hass-Platner Institute are useful. This step provides an initial status report and identifies individual accounts that need to be updated.

Identify the actual risk of exposure

 

Once the data is collected, security teams need to determine which credentials can actually be leveraged.

To do this, they must use techniques similar to those of attackers:

Check whether credentials allow access to external resources, such as web services and databases
Attempt to crack captured password hashes
Validate matches between stolen credentials and the organization’s identity management tools, such as Active Directory
Test variants to identify new identities that could be compromised: users typically using the same password patterns

 

Reduce the risk of exposure

 

After validating stolen credentials that actually expose the organization, security teams must take targeted actions to mitigate the risk.

For instance:
Remove disclosed inactive accounts from Active Directory

Initiate password changes for active users

Review password management processes and policy (hardening, lifecycle)

 

Implement a continuous validation process

 

Attackers’ techniques as well as organizations’ attack surfaces are constantly evolving, especially in terms of user accounts. Therefore, a one-time effort to identify, verify and reduce the risk of exposure of identifiers is insufficient. To sustainably combat this risk, organizations must adopt a continuous treatment approach. However, the burden of these manual actions is too great for security teams with limited resources.

 

The only way to effectively manage the threat is to automate the validation process.

 

Automation

 

Since 2021, Gartner has introduced this automation through the concepts of "Automated Penetration Test and Red Team Tool" and "External Attack Surface Management". These concepts bring together techniques to continuously identify risks exposing the attack surface of organizations in order to focus remediation work on proven risks.

 

Among the players, Pentera is now the leader in automated cyber validation.

Using the latest and most advanced attack techniques, their solution allows automatic and continuous ethical attacks to highlight static and dynamic vulnerabilities. These tests are run from both outside and inside the organization, covering the entire attack surface.

 

Among the features, the "Leaked Credentials" module automates the steps of discovery of stolen identifiers and the verification of the exposure they represent for the organization:

On external services (SaaS, websites, messaging)

On internal services (applications, workstations, servers, infrastructure elements)

 

The result of these investigations presents the complete attack vectors as well as the description of the remediation actions to be carried out by the security teams. Communication with SIEM or ITSM tools makes it possible to integrate this process into the overall cybersecurity risk management process. These solutions are the future of threat monitoring, detection, and prevention.

 


See previous articles

    

See next articles













Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts