US CISA Finds Valid Credentials Used in Half of Analyzed Attacks
The U.S. federal government says hacker abuse of valid credentials is the most successful method for gaining access to systems and the technique is responsible for slightly more than the half of critical infrastructure attacks that occurred over a yearlong period.
The Cybersecurity and Infrastructure Security Agency blames poor employee offboarding process for allowing valid but dormant accounts to fester inside active directories and default administrator accounts for 54% of successful attacks. The agency on Wednesday released a report summarizing its findings of more than 120 risk and vulnerability assessments of critical infrastructure sectors conducted between October 2021 and September 2022.
“The fact that more than half of cyberattacks come from legitimate accounts shows that it’s a fallacy that if organizations get user identity and authentication right, they will be secure,” said Gary Barlet, federal CTO at Illumio.
Spear-phishing, the social engineering technique of prodding victims into clicking on a malicious link or opening a malware-laced attachment, worked about one-third of the time, CISA says.
When attempting to gain entry to networks or systems, threat actors often look for the path of least resistance, and the findings from this report support that belief, said Jordan Rae Kelly, senior managing director and Americas head of cybersecurity at FTI Consulting.
Kelly told Information Security Media Group that cyberattacks do not have to rely on sophisticated techniques in order to be successful. Basic tactics such as stealing credentials, especially from accounts that are not actively monitored or using best practices of frequently changing passwords, can be an easy access point.
“Similarly, default credentials used on administrator accounts serve as another simple way for threat actors to achieve their goals. Gaining access is often the first step in launching more malicious attacks, through escalating privileges or discretely monitoring activity. This emphasizes why it is vital to get the basics right when it comes to cybersecurity,” Kelly said.
It’s not surprising that the report found that even advanced attackers will leverage fairly common methods to initiate a compromise, said Dan Kennedy, principal research analyst with S&P Global Market Intelligence. There’s little reason to invest in advanced tactics when straightforward phishing or default credential usage will provide an entry point for their attacks, he said.
The report does reveal some encouraging news. Network defenses blocked 13% of spear-phishing attempts, and endpoint defenses blocked 78% of malicious links or attachments.
Threat actors use techniques – such as changing credentials or system configurations to match their own needs – in order to maintain persistence in a target network.
Kennedy said updating decommissioning checklists and scripts for IT to execute when an employee departs helps address part of this problem.
“We have to leverage both technical and process-driven approaches, including single sign-on or reduced sign-on, centralized identity management, and reporting to see an employee’s access across multiple applications – and flag those with no use or unusual usage,” Kennedy said.
Grant Schneider of Venable, who is an ISMG contributor, advocates implementing multifactor authentication for all accounts and maintaining good offboarding processes. “The report reinforces the importance of doing the basics of cybersecurity every day,” Schneider said.