How Do Credentials Become Compromised?
Let’s fully define credentials: most people assume they’re just the password/username combo that most services had typically relied on, but the world of credentials is changing rapidly.
Biometrics and passwordless access keys are becoming increasingly popular, and the rise of Multi Factor Authentication (MFA) has given us an expanding list of options for securing their accounts and data.
This gives attackers new and exciting ways of stealing those credentials.
Behavioral Attacks
Traditionally, the most successful ways of gaining emails and passwords have been from other data breaches (which can provide emails and the occasional plaintext password), and phishing attacks.
The success of data breach credential theft relies heavily on the:
- Bad end-user habit of reusing passwords
- Failing to change administrative credentials
Phishing emails lead victims to a false login page. Identical to its legitimate counterpart, these fake login screens would send the credentials over to the attacker’s own database. While both of these are still rampant, organizations’ phishing defenses are slowing the rate of phishing credential theft.
In their place are an advancement in keyloggers and brute-forcing attacks.
Technical Attacks
Keyloggers have been around for a long time: once installed, they track a user’s key inputs and send them to a C2 server. It’s not just passwords that’s collected: sensitive resources and internal communications can all be scraped. Brute force attacks used to be a bot manually inputting any potential combination of letters and numbers – credential stuffing – in the hope it blindly inputs the correct combo.
Like keyloggers, however, brute force attacks have evolved…
Kerberoasting is one example of intelligent brute-forcing: the Kerberos protocol is used by Windows’ authentication service to make sure the user is allowed access to the server they’re requesting. If a user has the Kerberos ticket’s access key, they’re granted access to the server
(Regardless of whether they have the email or password of an underlying account.)
Kerberoasting attacks see an attacker steal these encrypted tickets, and then run the encryption keys with either brute-force or dictionary-based attacks. They do need an initial basis of permissions to request Kerberos tickets – meaning Kerberoasting usually begins after a lower-level account has been compromised.
This makes Kerberoasting a popular option for privilege escalation.
How to Detect Compromised Credentials
To detect compromised credentials, organizations use User Entity and Behavioral Analytics (UEBA) systems to monitor user activity and identify unusual behaviors that may signal security threats.
UEBA solutions gather and analyze data from sources, such as:
- Network devices
- Operating systems
- Applications
They do that to establish a baseline for typical user behavior over time. When activity deviates from these established patterns, it can signal potential credential or account compromise.
Security Information and Event Management (SIEM) platforms also play a key role in detecting compromised accounts. By collecting and analyzing security logs from across the organization, SIEM tools correlate events to flag suspicious behaviors, such as:
- Unusual login attempts
- Location anomalies
- Unauthorized privilege escalations
(which could indicate a security breach.)
The continuous monitoring of user accounts and authentication activities is essential for identifying potential compromises early, allowing organizations to respond swiftly to mitigate risks.
Stop Credential Compromise with Check Point Harmony
Check Point Harmony prevents password reuse and detects credential theft by combining policy-based restrictions with advanced anomaly detection.
Check Point’s Secure Browser Access policy allows administrators to prevent password reuse, by defining specific corporate domains where password reuse is prohibited. After these protected domains are configured and synced with the user’s browser extension, the system will capture and locally store a hashed version of the password (using SHA-256 with HMAC) when a user enters credentials for one of these designated domains.
By storing this password hash, the extension can detect if the same password is reused on a different, non-protected domain.
If password reuse is detected, the system initiates a pre-configured response, such as:
- Logging the incident
- Alerting the user
This approach allows for domains outside of Active Directory to be secured.
To detect compromised credentials, Check Point uses an Anomaly Detection engine that identifies unusual activity patterns across legitimate users. The system builds user profiles based on login times, locations, data transfers, and email behavior to establish a baseline of typical behavior.
If a significant deviation begins to arise, each anomalous action is analyzed and assessed by severity: “critical” events signal a high likelihood of account compromise and require immediate investigation, bumping them to the top of security teams’ workflows.
It’s not just the analytical systems that are automated…
The Harmony Email & Collaboration system can initiate alerts based on an inspection of the user’s recent emails from the last few hours. Its anti-phishing engine closely assesses for any potential phishing links or emails, and if the inspection turns up any high-risk communications, the engine can quarantine any further emails or action.
If you need the capabilities offered by this but don’t have the manpower, have a look at Check Point’s external risk management services.
This comprehensive approach, combining password reuse prevention and sophisticated anomaly detection, helps protect credentials while enabling fast response to any detected security incident. If you’re concerned about activities within your corporate network, reach out to a security expert today.
Feedback