How to Prevent Credential-Based Attacks 

Amid increasingly sophisticated tools and techniques being employed by threat actors to launch cyber-attacks, compromised credentials continue to be a key initial access approach.

Numerous high-profile cyber-incidents in the past year can be traced back to stolen credentials. In July 2023, tech giant Microsoft revealed that Chinese threat group Storm-0558 compromised one of its engineer’s corporate accounts, enabling it to spy on the US State and Commerce Departments and other US government agencies.

In another case, Okta customer data was exposed after an adversary used a stolen credential to access its support case management system.

In October 2023, DNA testing firm 23andMe was hit by a credential stuffing campaign, leading to nearly 7 million individuals’ data being accessed. The company controversially blamed user “negligence” for the breach, as the attackers used usernames and passwords accessed in separate breaches to access customer accounts.

With such incidents leading to potentially severe reputational and financial consequences, such as fines and lawsuits, there are a number of steps organizations should be taking to reduce the risk of credential-based attacks succeeding.

Organizations should take the initiative and encourage their customers and staff to improve their password practices, in line with advice issued by government agencies like the UK’s National Cyber Security Centre (NCSC) and the US’ National Institute of Standards and Technology (NIST).

This includes recommendations around password length and types. Guidance in recent years has recognized the need to make password security less complex for users, for example not mandating the use of special characters.

This training should also encourage the use of password managers, which is strongly advocated by the cybersecurity industry as a means of keeping login credentials safe, despite well-publicized breaches of popular password manager services.

Any cybersecurity awareness messages delivered by organizations to customers and staff must be made as engaging as possible, taking into account psychological insights into how humans best process information.

A key criticism of 23andMe’s assertion that users were to blame for the breach is that they did not mandate multi-factor authentication (MFA) for customer accounts. According to research from Microsoft in 2019, having a second layer of authentication can block 99.9% account compromise attacks.

While any type of MFA will make a big difference, in recent years, attackers have developed effective MFA bypass techniques, particularly for methods like SMS, email, push notifications and one-time codes. Therefore, organizations should ensure that their most privileged users go through the most secure forms of MFA to access their accounts. These include FIDO compliant tools, such as Yubikey.

Recent years has seen a significant evolution in the availability and use of passwordless technologies. For example, biometric authentication has become standard on smartphones, while big tech firms like Google, Apple and Microsoft have taken huge strides towards removing passwords from their platforms for good with options like passkeys.

Yet, traditional usernames and passwords continue to be the primary authentication technique used by most organizations for employee and customer accounts. In this landscape, it is important that governments and the wider cybersecurity industry make organizations aware of the benefits of shifting to passwordless technologies, and help them to do so as seamlessly as possible.

ADVERTISEMENT

There are a range of measures that can be implemented that can protect users from credential-based attacks. These include:

• Password screening: These tools enable organizations to check customer and employee passwords against passwords that have been exposed in a known data breach.
• Disallow email addresses as user IDs: As credential stuffing attacks rely on the reuse of the same usernames across services, this tactic can be mitigated by preventing users from using their email address as an account ID.

Techniques like credential stuffing commonly use bots to automate the process of testing lists of login credentials obtained in previous data breaches. Therefore, it is vital organizations implement technologies capable of identifying and blocking bad bots.

These include tools like CAPTCHA to prevent bots from logging in to online accounts, while security teams should continuously monitor anomalies or spikes for failed login attacks. This will allowing them to understand where the traffic is coming from and take steps to stop nefarious bot activity.

Enjoyed this article? Make sure to share it!

Looking for something else?