IT security should be a simple concept—it’s essentially about being able to prove you are who you say you are.
The “you” in this context might be an individual logging into a network or service, a device interacting with an application programming interface (API), one network talking to another, or a host of other potential scenarios.
The corresponding proof of identity could be a certificate, a Secure Socket Shell (SSH) key—this is a special network protocol leveraging public-key cryptography, which enables authorised users to remotely access a computer or other devices—or a confirmation code, facial or fingerprint recognition, and not forgetting the enduring favourite, the increasingly outdated and yet seemingly un-killable password.
The basic password and its use on computers dates back to the 1960s and is one of the most familiar and also most heavily abused forms of credential used in computer authentication processes. Technology has since progressed rapidly but the password has not.
Malicious credential abuse is an important security threat which is fast becoming every chief information security officer’s (CISO) worst nightmare. The seriousness of such attacks stems from the fact that they can lead to a widespread penetration of critical network infrastructures.
What is credential abuse?
Credential abuse can come in many guises. One of the most common is when an employee “borrows” a colleague’s user ID and password. The purpose may be benign—to complete a piece of work on time—or malicious, but this behaviour occurs frequently throughout industry and makes a nonsense of assigning privilege levels to specific individuals.
These situations are further complicated by attackers who often masquerade as legitimate users to penetrate the organisation’s systems and gain illegitimate access to data, which can include even more credentials. Such attacks are likely to result in significant financial or reputational damage, meaning resilience against them should be part of every CISOs’ planning and business recovery processes.
However, just because these attacks are among the most commonplace does not mean a CISO should implement countermeasures based purely on trends or the “popularity” of a threat. A good CISO and their team will work closely with the board to develop an understanding of organisational priorities and what needs to be defended.
The board should also provide business guidance and have an agreed strategy with the CISO. This should include building defence in depth using ISO 27000 series (thematic defence), in conjunction with a Kill Chain response such as the Lockheed Martin Kill Chain for a process or temporal-based defence. In addition, the CISO should develop, and periodically review, these protocols against organisational intelligence developed from horizon scanning or scenario planning, enabling the CISO to prioritise credential abuse tactics against a wider overview.
Brute Force and credential stuffing
Attacks vary. Traditional credential theft and the manipulation of business practices were used in combination in the Scattered Canary attack on US financial benefits early in the Covid-19 pandemic. Built on credential theft, and presumably the storage of credentials, this approach took advantage of the non-verification of financial claims.
A Brute Force attack uses trial-and-error to guess, for example, individual user names and passwords. All possible combinations are attempted in the hope that one of them will result in the correct information. The search space within which the “algorithm” is looking for answers can be very large and, depending on the length and complexity of the password, cracking it using Brute Force can take anywhere from a few minutes to decades. The smaller the search space, the higher the rate of success and the quicker access is gained.
Credential stuffing reduces the search space that Brute Force needs. It uses exposed data from leaked databases or other illegitimate access. The availability of this data dramatically reduces the number of possible correct answers needed to gain access. Both Brute Force and credential stuffing are effective when dealing with accounts that use weak passwords, or whose owners are not particularly cyber-savvy, but less so with more secure systems.
The use of AI-augmented algorithms adds sophistication to the attacker’s arsenal. AI Bots are used to gather pertinent data—for example, chatbots realistically befriending employees on social media and using convincing impersonations to bypass controls.
This reconnaissance phase limits the search space and algorithms in the form of machine learning password crawlers are then applied to guess credentials in a matter of seconds. These AI-augmented attacks need AI-based solutions to counter them. Bot management defence systems use rate-limiting in combination with an IP reputation database to stop malicious bots from making login attempts without impacting legitimate logins.
One example of a defence mechanism is the Cloudflare Bot Management, which uses machine learning algorithms to collect data from over 400 billion requests routed through the Cloudflare network each day, identifying and stopping credential-stuffing bots with very high accuracy.
But let’s keep things in perspective: although AI-powered algorithms can be an efficacious tool within the attackers’ arsenal, these algorithms are largely used for Distributed Denial of Service or cryptocurrency calculations.
A major facilitator behind credential abuse is simply a gap in users’ behaviour, otherwise known as “intellectual laziness”—using the same password for several applications. Many of us do this because one or two passwords are easier to remember. According to TeleSign, 71% of users use the same passwords for multiple accounts. There have been approximately 360 breaches in the past five years, resulting in three billion accounts and 550 million unique passwords being leaked.
While using a strong password, or pass-phrase, provides a solid protection against Brute Force attacks, it offers little protection against credential stuffing if the password or pass-phrase is shared across several accounts.
External and internal threats
Where does this threat come from? According to the Data Breach Investigations Report 2020, external attackers were responsible for the majority (70%) of stolen data, compared with 30% insider threats.
The only sector with a bigger insider problem, according to DBRI, is the healthcare sector, where the split is nearly 50-50 between external and insider attacks. Malicious issues in healthcare include simple human error and employee misuse, such as medical workers accessing patients’ records out of curiosity.
So what can boards do to prevent this?
The first step in developing resilience protection against credential abuse is education. This requires a commitment from the board to continuous training and staff development programmes that nurture higher levels of cyber hygiene among employees, clients and other stakeholders within the supply chain.
Simple steps like using strong pass-phrases and not repeating them across multiple access points will help reduce the threat. IT departments, and security teams also need to take necessary steps to ensure that the IT infrastructure is as secure an environment as possible for employees to operate in.
Detection tools and processes need to be in place to identify any possible credential-stuffing attacks at the earliest opportunity. This is important because stolen credentials are rarely ever used immediately. Attackers require time to analyse the data they capture before exploiting it. This means that the faster an organisation can detect an attack, the better position it is in to reduce or nullify its impact.
One of the biggest challenges that organisations face stems from the fact that the source of their problem is not necessarily entirely within their control. Credential stuffing can happen as a result of a compromise at other organisations, suppliers or partners which don’t have high-level defence systems or protocols in place.
No organisation, or individual for that matter, is immune from this kind of attacks. Large corporates may be able to afford stronger technology infrastructure and better staff training programmes. But this is a continuous battle that requires constant vigilance in pro-rata, depending on whether it’s an individual user, an SME or a large organisation.
Professor Kamal Bechkoum is head of the school of computing and engineering at the University of Gloucestershire.