Credentials remain the key to unlocking digital ‘fortresses’ around the world. Why? Because instead of bombarding a company’s external defences, they allow cyber criminals to sneak through the back door. Identities present a very attractive method of attack for cyber attackers when faced with a well-guarded corporate network, because they provide a high chance of success. According to Verizon’s recently-announced 2021 Data Breach Investigations Report (DBIR), for example, 61% of all security breaches involve credentials in some shape or form.
Credential theft can be far more sophisticated than often suggested, though. In corporate environments it also presents opportunities for cyber criminals when linked to the non-traditional user identities – remote workers and third parties, for example. These unusual identities are often left with inadequate protection when compared to their traditional cohabitants. This inadequate protection can easily be exposed as an organisation’s tragic flaw, with the third-party origin of the recent SolarWinds attack testament to that fact.
With that in mind, we recently asked CISOs and security executives at large enterprises about the extent of the problem, with the aim of learning more about how credential theft is evolving. It came as no surprise to us when 97% of participants said credential theft is on the rise. Credentials and their related identities are posing a more pressing challenge than ever before, and one that IT teams must address quickly.
Keeping up with data: SaaS, unstructured data and securing it with identity
Spear-phishing attack patterns are shifting
Phishing has long scourged both consumers and organisations. The well-established method lures targets into offering sensitive information by using social engineering techniques. This sensitive information often relates to their credentials, which can provide unwarranted access when leaked.
Spear phishing – a more precise form of phishing – poses a more advanced threat to organisations. It typically involves attacks choosing specific people at specific organisations, and targeting them with spear-phishing techniques to obtain credentials with their desired level of access.
The majority of participants (56%) in our research reported a rise in credential theft attacks targeting end-users, many of which incorporated these tactics. Almost half (48%) also reported a rise in attacks targeting senior leadership, which illustrates the increasing threat spear-phishing poses. All this evidence suggests cyber criminals are recognising the increasing potential of exploiting non-traditional users, and using it to gain high-level access.
This trend can be attributed to multiple different changes in the security landscape in recent months:
- The massive rise in cloud computing, forecasted to grow almost 20% in the current year – because organisations have adopted cloud in such a short period, security is struggling to keep pace. Cloud accounts are often misconfigured and, therefore, vulnerable to exploitation.
- The increase in remote working – Employees are now accessing sensitive areas of corporate networks from insecure devices and locations. IT teams are still struggling to maintain the same levels of monitoring and security they enjoyed before the pandemic.
- Organisations employing more and more third parties, all of which need different levels of access – These third-party accounts are often misconfigured, allowing access where it should be denied. 39% of those we surveyed said these types of user are suffering more frequent attacks, based on the knowledge that they are often poorly protected.
These challenges require the adoption of new security methodologies suitable for today’s threat landscape.
The evolution and advancement of penetration testing under Covid-19
Is Zero-Trust the answer?
The adoption of cloud services, third parties, and remote access has dissolved the traditional network perimeter and made security a far more complex equation than before. Identity security is quickly emerging become the primary line of defence for most organisations, because it allows security teams to tailor each user’s access proportionately based on the needs of their job role. Underpinning this model is Zero-Trust – the practice of treating all accounts with the same minimal level of access until authenticated.
In cloud environments, for example, any human or machine identity can be configured with thousands of permissions to access cloud workloads containing critical information. User, group, and role identities are typically assigned permissions depending on their job functions. Providing each identity with its own unique permissions allows users to access what they need, when they need it, without putting company assets at risk of breach. In combination with Zero-Trust, it ensures each identity is only able to gain that access once it is authenticated.
The increasing recognition of Zero-Trust as security best practice has led its stock to rise significantly, so much so that 88% of those we researched categorised it as either ‘important’ or ‘very important’ in tackling today’s advanced threats. Those same individuals also identified the effective management of identities – in order to provide appropriate privileged access – as a top priority when it comes to implementing a zero-trust model.
The duration of privileged access needs highlighting here, too. Identities should never be granted permanent or standing access to information, data and assets, but only be granted access when they need it. Every hour in excess provides another hour of opportunity for potential attackers to exploit. Security professionals are recognising this more and more, with 87% of those we surveyed classing the reduction of standing privileges as “important” or “very important”.
Many are turning to ‘just-in-time’ access controls as a solution to this issue of providing temporaneous access. These controls allow IT teams to provide accounts with differing levels of access at different times depending on which tasks they’re working on, or even for third parties jumping between short-term contracts.
The need to protect privileged credentials won’t disappear any time soon, particularly as we continue to feel the reverberations from the SolarWinds attack. Organisations must stop attackers from gaining high-level access, and as new identities multiply, it’s clear their approach to identity security must be based on a strong zero-trust foundation. It’s paramount for security leaders seeking to mitigate the risks of spear-phishing, impersonation attacks, and other forms of compromise, in a world of evolving threats.