The common image of a hacker is a hooded figure in a basement, perhaps with the infamous anonymous mask on. However, cyber attacks are actually carried out by sophisticated cyber criminals, who look like your next door neighbour and are able to cause maximum damage to a business.
From 2019 to 2020, the annual security spend per employee increased from $2,337 to $2,691 and this increase is predicted to continue. Cybersecurity breaches are on the rise, with a recent report revealing that 94% of executives experienced a business-impacting cyberattack or compromise last year and 77% are preparing for an increase in cyberattacks over the next two years.
The pandemic accelerated these cyber attacks, with 71% of UK business decision makers stating they believe a shift to remote workforce has increased the likelihood of a cyber breach. This is partially because traditional hacking methods such as decoding encryption or infiltrating firewalls are a thing of the past.
Evolving hackers means an evolving attack journey
Today, cyber adversaries rely less on hacking – and more on simply logging in. For businesses today, compromised credentials are among the biggest security risks, with Forrester Research estimating that 80% of breaches involve weak or stolen privileged credentials. If an individual compromises a privileged account, they can roam across a network to gain access to sensitive data and cause disruption. Put simply, the anatomy of a hack is changing and pretty much anyone with access to the internet can become a hacker. Even those with no experience in the cyber world are able to hack with compromised credentials.
Understanding the attack journey
Every cyberattack varies in cause and damage. Despite this, they all contain key components that are applicable to both external and insider threats.
The tried and tested formula involves cyberattackers finding a way in, navigating the system, extracting information, and then exiting and covering their tracks. Learning these steps to understand the journey cyberattackers take will help you better protect your organisation from these kinds of attacks.
Find your way in
The first step is finding out how a hacker gets the credentials to execute their attack. Common methods include social engineering techniques, such as phishing campaigns or simply gather information publicly-available on social media sites.
Many hackers will also purchase leaked credentials off the Dark Web. At risk are individuals who use the same/similar passwords across multiple accounts.
The reality is that this creates a scenario where the attacker is simply logging in with a known username and correct password. Without additional forms of authentications, such as a texted PIN or a fingerprint scan, even the most hardened security perimeters won’t prevent this kind of attack.
Successfully navigate the system
Once the attacker has infiltrated the system, their next step is to understand their environment. They will then laterally elevate their privilege and begin to access more critical infrastructure with sensitive and more valuable data.
By looking at IT schedules, security measures and network traffic flows, hackers are able to gain a better understanding of their environment. This provides them with an accurate picture of what they’re dealing with.
Network resources, privileged accounts, domain controllers, and Active Directory are prime targets because they often have privileged credentials.
Extracting valuable data and covering their tracks
Now that they understand where to gain access to valuable data, attackers will then look for ways to further elevate access privileges in order to extract the data and cover their tracks.
They may also attempt to create a backdoor, e.g., by creating an SSH key for exfiltrating additional data in the future.
Protect your organisation from the most advanced hackers
Sloppy password practices and unsecured privileged access have enabled today’s hackers to wreak havoc easily. While it is still important to protect your business by creating a solid, impenetrable perimeter and investing in a well-built security team, organisations must also adjust their security strategies to match modern threats.
Companies need to discover and vault away shared privileged credentials, so they are properly managed. But vaulting isn’t enough to secure a dynamic threatscape that has been significantly expanded by digital transformation and may have rapidly changing attack surfaces such as cloud and DevOps.
Enforcing a least privileged approach based on an individual identity, whether this is human or machine, will provide extra security. Systems must also be put in place to verify who/what is requesting access and why. They must only then grant privilege to the target asset for just the minimal amount of time needed.
It is imperative that organisations:
- Apply a Zero Trust approach. This assumes that attackers are already inside the network, and therefore, no user or request should be trusted unless fully verified, and then only be granted least privilege access.
- Use Privileged Access Management best practices. Multi-factor authentication is low-hanging fruit, and should be used everywhere privilege is elevated, with access zones reinforcing this defense.
- Utilise machine learning for real-time risk awareness. Machine learning algorithms can monitor privileged user behavior, identify abnormal and high-risk activity, and then create alerts to stop suspicious activity.
Ahead of identity management day, we need to be discussing how businesses can use a solid identity-centric privileged access management plan based around Zero Trust principles, in order to protect against any adversary who tries to cross their path.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.