Cyber attacks are seldom carried out by technically skilled attackers. Traditional hacking methods such as decoding encryption or infiltrating firewalls are becoming a thing of the past. The anatomy of a cyber attack is changing.
Criminals no longer hack into; they just log in. Because weak, stolen or otherwise compromised login data create an easy gateway for malicious actors, even if they have only limited technical skills.
Logins stolen from employees
The recent data breach on Twitter, in which dozens of prominent user accounts were hijacked, is a good example of how cyberattacks are carried out these days. According to research by the social media giant, a 17-year-old from Florida used social engineering techniques to get the credentials of a small number of Twitter employees. The attacker was then able to abuse these logins to gain access to an important internal system. And Twitter isn't alone: Forrester estimates that 80 percent of security breaches are now due to compromised credentials. If an attacker hijacks a privileged account, he can use it to move extensively and for a long time unnoticed in the network in order to exfiltrate sensitive data or cause disruptions.
The route of attack by cyber criminals
Every cyber attack differs in its motivation and the resulting damage. However, all attacks have three key basic components that apply to both external and insider threats. Below is an overview of how modern cyberattacks often take place:
1. Find a way inside
As mentioned, criminals today typically misuse compromised login credentials for their attacks. To access the login data, they usually use social engineering techniques, such as phishing campaigns. Hackers also take advantage of the millions of leaked access data that are for sale on the dark web. Therefore, users who use the same or similar passwords for multiple accounts are at risk if an attacker uses techniques such as credential stuffing or password spraying.
2. Navigating through the system
If the attacker has penetrated the system, he will try to scout out his surroundings and increase his privileges in order to move laterally in the network and access more critical infrastructures with potentially valuable data. During this phase, hackers try to gain an understanding of their environment by looking at IT schedules, security measures, or network traffic flows. Network resources, privileged accounts, domain controllers, and Active Directory are preferred targets for attackers because they often have privileged credentials.
3. Data theft and covering of tracks
After attackers know where to get access to valuable data, they will look for ways to further elevate their privileges in order to extract that data and cover their tracks. You can also create a back door, for example by creating an SSH key to exfiltrate more data in the future.
Best practices for protecting against today's cyberattacks
Building a solid perimeter and investing in a well-positioned security team are still fundamental. However, as today's attackers take advantage of poor password practices and unsecured privileged accounts, organizations must adapt their security strategy to these threats and focus on protecting identities and credentials.
Shared privileged credentials should be viewed and kept in a password vault to properly manage them. However, vaulting alone is not enough to defend against the dynamic threat landscape, which has been significantly expanded by the digital transformation and has increased attack surfaces such as the cloud or DevOps.
Implement the least privilege approach
Therefore, companies should implement a least privilege approach based on individual human and machine identities. In addition, systems are required that check which employee or which application is requesting access to resources and for what reason. The risk of the respective access environment must be determined and only authorizations for the target object must be granted for the minimum required time. Here are three points that companies should implement in their security strategy:
- Use of a zero trust approach: The zero trust model assumes that attackers are already in the network. Therefore, no user or request should be trusted until they are fully verified. Subsequently, only least privilege access should be granted, which grants just as many permissions as necessary. Security architectures must be structured in such a way that they take this into account.
- Use of multi-factor authentication for privileged access management: Multi-factor authentication is a simple means of securing and should be used wherever privileges are increased, with dedicated access zones additionally reinforcing this defense.
- Machine learning for real-time risk awareness: Machine learning algorithms can monitor the behavior of privileged users, identify abnormal and high-risk activity, and sound an alarm to stop suspicious activity.
Today's cybercriminals can have sophisticated technical skills or just the basics of script kiddies. However, by implementing a solid, identity-centric privileged access management plan based on zero trust principles, organizations can protect their critical assets from the rising tide of attacks and significantly reduce the risk of a security breach.
More at Centrify.com
About ThycoticCentrify ThycoticCentrify is a leading provider of cloud identity security solutions that enable digital transformation on a large scale. ThycoticCentrify's industry-leading Privileged Access Management (PAM) solutions reduce risk, complexity and cost while protecting enterprise data, devices and code in cloud, on-premises and hybrid environments. More than 14.000 leading companies around the world, including more than half of the Fortune 100, trust ThycoticCentrify. Customers include the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Whether human or machine, in the cloud or on-premises - with ThycoticCentrify, privileged access is secure.