Woman Holding Tablet

For organizations looking to protect their IT environment, credential theft is still a top concern. Let’s go over some of the trends you need to watch out for this year.

Phishing

Phishing continues to be one of the most popular ways to steal credentials.

What is Phishing?

Phishing is a form of social engineering, which aims to manipulate people into clicking on a link or attachment. Typically, the act of clicking on the link or attachment will automatically trigger the installation of persistent malware.

The goal of phishing is often to obtain credentials, and, unfortunately, it has proven itself to be very effective at doing so. Verizon’s 2016 Data Breach Investigations Report (DBIR) identified 9,576 total phishing incidents, 916 of which resulted in confirmed data disclosure.

Marc Spitler, a researcher and co-author of Verizon’s DBIR, said that “the phishing email is being leveraged by opportunistic and targeted attacks. It is being leveraged by state affiliated groups and organized crime. It’s leveraging that human aspect of making targets interact with a link or, more often, an email attachment.”

The Current State of Phishing

PhishLabs’ 2017 Phishing Trends & Intelligence Report revealed several key findings about today’s threat landscape.

The U.S. is the most targeted country in the world by 81 percent. And, when it comes to who’s being targeted, more than 91 percent of phishing attacks were aimed at one of five major industries:

  1. Financial institutions
  2. Cloud storage/file hosting services
  3. Webmail/ online services
  4. Payment services
  5. Ecommerce companies

While attacks against financial institutions have declined, attacks against cloud storage services have spiked significantly. If this trend continues, it is likely that the number of attacks on cloud storage services will surpass the number of attacks on financial institutions.

According the PhishLabs, this change is occurring because cyber criminals are evolving their tactics to make their jobs easier and take advantage of ease-of-use features built into many websites.

PhishLabs also cites three factors which serve to motivate phishing threat actors:

  1. Immediate Account Takeover – Stealing money from an account or selling access to an account in an underground market.
  2. Credential Proliferation – Attacking targets using generic credentials (e.g., email accounts) that allows for more efficient collection that can be used to attack secondary targets on a larger scale.
  3. Data Diversification – Collecting comprehensive information about a victim that can be used to commit other crimes, such as identify theft or tax fraud, or sold for more money in the underground economy.

One of the largest vulnerabilities in the phishing ecosystem is the practice of using email addresses as account credentials. This practice allows cybercriminals to easily evade any anti-phishing measures, which have been set up by email providers, and enables attackers to quickly target multiple online services at once.

Once an attacker has gained access to account credentials, they can multiply their financial gain either by taking over more than one insecure account or by selling those credentials on the black market.

If an attacker wishes to begin phishing, all they must do is download a phish kit, which contains all the necessary components to create a phishing site. In 2016, PhishLabs collected more than 29,000 phish kits targeting over 300 different organizations.

More than a third used anti-detection techniques, including 22 percent that utilized mechanisms to restrict access and 29 percent that used techniques to evade browser-based blocking.

Alarmingly, PhishLabs also found that phish kit authors are more likely to distribute their kits for free than they are to sell them for a direct profit.

Active Directory

Active Directory (AD) remains the main source of authentication for more than 90 percent of organizations. Despite this, many organizations inadvertently leave their AD largely unprotected.

What is Active Directory?

Active Directory is a central hub that controls access to IT systems, users, computers, apps and more.

Why Active Directory is Important

Since the AD contains the “keys to the kingdom,” this should mean that it is heavily guarded at all times. However, that’s not usually the case.

According to Verizon’s DBIR (linked to earlier), 63 percent of confirmed data breaches involved leveraging weak, default or stolen passwords.

Because AD is often viewed as a utility rather than a powerful access point, it’s often left far less protected than other components within an organization’s IT network. This makes AD a prime target for cybercriminals, who can download malicious tools on easily accessible sites like GitHub.

These are just a few of the free hacking tools which are currently available:

  • Mimikatz: Allows hackers to view credential information.
  • BloodHound: Quickly identifies hidden attack paths within Active Directory.
  • PowerSploit: A suite of tools which helps hackers conduct recon, exploit weaknesses, gain dominance and exfiltrate data.

Why Active Directory is Vulnerable

Our extensive assessments revealed some crucial facts about AD security.

  1. Over 50 percent of the organizations we assessed permitted high-security accounts to perform low-security tasks. Thus, any attacker who successfully accessed an administrator’s account would immediately obtain elevated rights.
  2. While multi-factor authentication (MFA) is one of the most effective ways to reduce the weakness of single-password protection, more than 25 percent of organizations don’t use an MFA.
  3. A great number of organizations aren’t aware of Microsoft’s recommendation to build an Enhanced Security Administrative Environment (ESAE). Because of this, none of the organizations we assessed did so.

Those vulnerabilities don’t just make AD an easy target for outside attackers, however. Quest’s Azure Active Directory and Office 365 Security white paper revealed that not all AD security threats come from external cybercriminals.

Consider this plausible scenario:

  1. Mary, Sam’s new colleague, forgets the service account password used to run a financial application across several Windows servers. She asks Sam to delegate her rights to reset passwords.
  2. Sam uses the built-in Active Directory Users and Computers snap-in delegation wizard to delegate access to Mary to reset passwords on the organizational unit (OU) containing the service account. It does not occur to Sam that the OU also contains other service accounts and administrative accounts (members of the domain admins groups). Nor does it occur to him that he is granting Mary much more access than she needs to accomplish the immediate task.
  3. Mary resets the password on the finance application service account.
  4. Mary realizes she can also reset the passwords to other elevated admin accounts. She resets a privileged admin account password.
  5. She logs on with the admin account and grants her secondary account permissions to be able to make group membership changes across any group in AD.
  6. She uses her delegated rights to add her secondary account to the finance operations group within the company’s on-premises AD.
  7. Like many other groups, the finance operations group membership in the on-premises AD is synchronized to Azure Active Directory to grant access to the company’s Office 365 applications. In this case, the group membership provides access to Sarbanes-Oxley (SOX) financial data in Office 365 SharePoint Online documents.
  8. Mary becomes curious. She discovers that she has access to confidential financial information on the company’s Office 365 SharePoint Online.
  9. She opens folders, find a file named AcquisitionsPending.docx, opens it and takes screenshots. This file contains information about the proposed acquisition of a publicly traded competitor.
  10. Mary uses this insider knowledge to purchase 10,000 shares of the acquisition target company. Three months later, the acquisition goes through. Mary sells her shares and makes a 30 percent gain.
  11. An SEC investigation ensues, embroiling the company’s legal, finance and compliance teams for months. Mary is eventually prosecuted for insider trading, but the damage to the company’s reputation lingers.

As Verizon’s DBIR, PhishLabs’ report, Quest’s white paper, and our own assessments have shown, protection against credential theft should be a major priority for all organizations in 2017.

To learn more about how you can protect your Active Directory and prevent your organization’s credentials from falling into the wrong hands, download our eBook here.