Credentials, the Keys to the Kingdom
On August 30th, I was honored to be the keynote speaker at a lunch and learn event organized by Proofpoint Inc. in Palo Alto, California. The presentation focused on shedding light on how threat actors employ credentials within the cyber kill chain, underlining the pivotal role of credential management. I also delved into CISA's cyber performance goals (CPG) and described the specific controls pertaining to credentials. Following this insightful session, Proofpoint, Inc. representatives Madison Beane and Mark Morgan took the floor to discuss a Proofpoint solution. The luncheon drew participation from a distinguished gathering of 30 cybersecurity leaders from the heart of Silicon Valley. Below are brief notes on my presentation.
Multifactor authentication (MFA) has long been hailed as a crucial security measure in the fight against cyber threats. While it undoubtedly enhances security by adding an extra layer of protection beyond just a username and password, it's important to remember that MFA is not an infallible silver bullet. It significantly reduces the risk of unauthorized access, but it cannot completely eliminate it. Recent events, such as the case of Russian state-sponsored cyber actors gaining network access through the exploitation of default MFA protocols and the "PrintNightmare" vulnerability, serve as a stark reminder of MFA's limitations. As early as May 2021, the FBI observed a troubling scenario where these actors successfully breached an NGO's defenses, highlighting the fact that even well-implemented MFA systems can be compromised. Therefore, while MFA remains a critical tool in safeguarding our digital world, it should be viewed as one component of a comprehensive cybersecurity strategy rather than the ultimate solution. Vigilance, regular updates, and a multi-layered defense approach are key in today's ever-evolving threat landscape.
The insidious threat of Business Email Compromise (BEC) continues to loom large over U.S. businesses, posing a serious risk to their financial stability and security. This deceptive cybercrime tactic often involves the infiltration of a high-ranking executive's email account, typically belonging to the CEO or CFO, with the nefarious aim of sending fraudulent emails to employees authorized to conduct wire transfers. In these cases, the cybercriminals exploit trust and authority within the organization, leading to potentially devastating financial losses. Additionally, BEC incidents can also target vendors and suppliers, where attackers compromise their email accounts with the goal of tampering with bank account information. As BEC schemes become increasingly sophisticated, it's imperative for organizations to remain vigilant, educate their employees about the risks, and implement robust cybersecurity measures to safeguard credentials.
These stories serve as a stark reminder that in the realm of cybersecurity, credentials are indeed the keys to the kingdom. The theft and abuse of credentials have emerged as a pervasive and steadily growing concern in today's digital landscape. Adversaries have shifted their tactics, moving away from system-based threats and instead honing in on identity-based attacks. What's particularly alarming is the speed at which these attacks can be executed, often taking just a matter of days to infiltrate an organization's defenses. Even more concerning, these attacks can be carried out without leaving any discernible trace of compromise or the telltale signs of malware. Adversaries have become adept at "living off the land," exploiting legitimate tools and privileges to navigate their nefarious activities under the radar. In such a landscape, safeguarding credentials and implementing robust identity and access management strategies has never been more critical for businesses and individuals alike.
TTP and Credentials
Understanding the Tactics, Techniques, and Procedures (TTPs) employed by threat actors is paramount when it comes to fortifying your cybersecurity defenses. One invaluable resource for this understanding is the MITRE ATT&CK Framework, which provides a comprehensive knowledge base of adversary tactics and techniques. This framework serves as a crucial reference point for organizations to assess and enhance their security posture.
Credentials play a pivotal role in various stages of the attack chain, making it vital to scrutinize their usage meticulously. Threat actors often exploit weak or stolen credentials to gain unauthorized access to systems, move laterally within networks, and escalate their privileges. To shield your systems effectively, robust protection mechanisms are essential. This includes implementing strong password policies, employing multi-factor authentication (MFA), and regularly updating and patching software to mitigate vulnerabilities.
Equally crucial is early detection. Detecting malicious activity as soon as it occurs can significantly reduce the potential impact of a cyberattack. The dwell time—the duration an adversary remains undetected within a network—can vary depending on the adversary's sophistication and objectives. Thus, our primary goal should be to identify intrusions as early as possible to minimize the attacker's ability to exfiltrate data or cause damage.
In the ever-evolving landscape of cyber threats, staying informed about adversary TTPs, fortifying credential security, and honing early detection capabilities are key strategies to safeguard your systems and data from the relentless onslaught of cyberattacks.
Certain credentials and related services are especially vulnerable points in an organization's security posture and demand heightened attention. Among these are service accounts, which are often overlooked but can hold significant access privileges. Local admin accounts pose another risk, as their compromise can grant attackers extensive control over individual devices. Shadow admin accounts, which may exist due to misconfigurations or overlooked permissions, can also become dangerous entry points. Exposed credentials and cloud tokens are prime targets for cybercriminals seeking unauthorized access to cloud-based resources. Legacy app accounts, sometimes forgotten or poorly maintained, can harbor vulnerabilities that adversaries can exploit. Lastly, open Remote Desktop Protocol (RDP) sessions represent a direct pathway into a system, making them a favored target for attackers. Recognizing the vulnerability of these credentials and services is the first step toward shoring up security measures and safeguarding critical digital assets.
Cyber Kill Chain
Credentials play a pivotal role throughout the various phases of the cyber kill chain, each step presenting unique challenges for threat actors:
Resource Development: In this initial phase, adversaries may compromise existing accounts of vendors or partners of the target organization, a tactic classified under T1586 - Compromise Accounts (numbers reference the MITRE ATT&CK Framework). Compromised email accounts can serve as a potent weapon for phishing attacks or even be sold on the dark web by insiders. This phase is particularly concerning when privileged identities are targeted.
Initial Compromise (Access): For the initial breach, adversaries employ techniques like phishing, which involves impersonating trusted entities via email or malicious websites (T1566). These attacks can take the form of spearphishing attachments, links, or even leverage valid accounts (T1566.001, T1566.002, T1566.003, T1133, T1078).
Persistence: To maintain access over time, adversaries manipulate accounts and permissions, often modifying credentials or permission groups (T1098). This persistence phase is crucial for maintaining a foothold within the compromised system, and techniques include device registration, SSH authorized keys, and creating additional cloud or domain accounts (T1098.005, T1098.004, T1098.001, T1098.002, T1098.003, T1136, T1136.001, T1136.003, T1136.002).
Privilege Escalation: Adversaries strive to gain higher-level permissions to facilitate lateral movement and maintain persistence. This phase encompasses techniques like access token manipulation and exploitation for privilege escalation (T1134, T1068, T1078).
Lateral Movement: In their quest to reach their ultimate target, adversaries explore the network, often relying on alternative authentication methods (T1550). Techniques include application access tokens, pass-the-hash, pass-the-ticket, and web session cookie hijacking (T1550.001, T1550.002, T1550.003, T1550.004).
Understanding these phases and the role of credentials within them is critical for developing effective security strategies. By recognizing the significance of credentials throughout the cyber kill chain, organizations can better protect their systems and data against increasingly sophisticated threats.
The Cyber Performance Goals (CPG) established by the Cybersecurity and Infrastructure Security Agency (CISA) represent a crucial milestone in enhancing the resilience of critical infrastructure entities against evolving cyber threats. The CPG offers a baseline of cybersecurity practices applicable across the entire spectrum of critical infrastructure, irrespective of their size. The CPG serves a multifaceted purpose. First and foremost, they provide a baseline of cybersecurity practices that carry proven risk-reduction value. This baseline serves as a benchmark, allowing critical infrastructure operators to gauge and enhance their cybersecurity maturity progressively. Moreover, the CPG bridges the gap between information technology (IT) and operational technology (OT) by offering a prioritized set of security practices, acknowledging the unique challenges faced by both domains.
To ensure alignment and coherence, CISA has organized the CPG according to the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) functions, which include Identifying, Protecting, Detecting, Responding, and Recovering. This alignment facilitates the integration of the CPG into existing cybersecurity practices and encourages a systematic approach to enhancing cybersecurity resilience.
One crucial aspect of the CPG that deserves special attention is its coverage of credentials. In today's threat landscape, credentials are a prime target for attackers. The CPG recognizes this and provides guidelines for securing credentials effectively. This includes practices such as changing default passwords, enforcing minimum password strength, ensuring uniqueness of credentials, and promptly revoking credentials for departing employees. Additionally, the CPG advocates for the separation of user and privileged accounts, the detection of unsuccessful login attempts, and the implementation of phishing-resistant multi-factor authentication (MFA). The CPG emphasizes the importance of credentials and provides practical guidance on safeguarding them, ultimately contributing to a more secure and resilient critical infrastructure landscape.
CPG on Credentials
2.A Changing Default Passwords
2.B Minimum Password Strength
2.C Unique Credentials
2.D Revoking Credentials for Departing Employees
2.E Separating User and Privileged Accounts
2.G Detection of Unsuccessful (Automated) Login Attempts
2.H Phishing-Resistant Multi-Factor Authentication (MFA)
3.A Detecting Relevant Threats and TTPs
CISA Advisory Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a
Business Email Compromise Continues to Swindle and Defraud U.S. Businesses https://www.cisa.gov/news-events/alerts/2015/06/24/business-email-compromise-continues-swindle-and-defraud-us-businesses
Cross-Sector Cybersecurity Performance Goals https://www.cisa.gov/cross-sector-cybersecurity-performance-goals
MITRE ATT&CK® https://attack.mitre.org/