It’s World Password Day, but it’s never a bad time to think about credential security and usage. Credentialed attacks are the most popular means of entry into any digital infrastructure, and remain the easiest method of reconnaissance and privilege escalation for bad actors. With some of the most sophisticated open-source attack tools to date, it’s important for organizations to fight machine speeds with machine speeds, and humans by exception.
Attack vectors relying on compromised credentials outpace any other exploit or vulnerability. Since 2016, the industry has seen a 280% increase in credential compromise, and in 2021, 61% of all intentional breaches were associated with credential exfiltration.
Attackers have more options than ever, from brute forcing, phishing, or social engineering, to hash dumps, for-sale credential lists, and more. Regardless of the methodology, it’s incredibly effective: 79.5% of all manufacturing attacks last year leveraged stolen credentials to either gain initial access or enable the attacker to steal additional credentials and deploy payloads based on the permissions granted through loot credentials.
Keeping passwords safe goes beyond just user education and proper configurations. Organizations need to apply password policy and hygiene practices that make it harder for an attacker to progress. Industry recommendations have moved away from frequent password changes to using more complex, longer passwords as well as unique passwords across accounts.
Here’s a number that might keep you awake at night: in 2021, 95% of organizations hit by credential stuffing attacks faced between 637 and 3.3 billion malicious login attempts over the course of a year. According to a GTRI study, an eight-character password can be brute forced in a matter of minutes. Compare this to current best practices, which include a 12-character password and at least three of the five complexity categories as defined by Microsoft, which would take 34,000 years for a computer to crack.
An additional obstacle organizations often overlook when it comes to hygiene is the importance of having users within the organization apply the same care to their personal accounts. We are at a unique crossroads between traditional and AI-driven attacks where an attacker can automate the use of a personal account compromise to gather intel on the subject, which then drives a more bespoke, intelligent password spray into corporate accounts – after all, someone is bound to have a password with their dog’s name in it.
In one Horizon3.ai customer use case, a financial analyst’s weak password was cracked in under three minutes using Hashcat, after which NodeZero dumped the SAM database, opened the flood gates, and chained together every credential exploitation identified in the ATT&CK framework, to eventually escalate its privilege from local user to local admin, then to domain user, and ultimately, domain admin.
In the end, there are many factors that come into play when securing credentials. Organizations need to assess and address their own specific vulnerabilities to lock down their credentials and eliminate the risk of an attack or data breach. By supplementing a cyber defense policy with consistent testing against readily available open-source intelligence and attacks tools, organizations have a much better chance of protecting its crown jewels by chasing down the paths to least resistance an attacker would use.
Blog post written by Brad Hong, Customer Success Lead at Horizon3.ai. Follow Brad on LinkedIn.
