Reducing the blast radius of credential theft

Cybersecurity has come to be defined by identity, with almost every attack today revolving around gaining control of a user’s identity as a means of accessing critical data and systems. Verizon’s latest data breach report found that credentials are the most sought-after form of data.

As we have repeatedly seen, a single set of compromised credentials can be enough to infiltrate an organization and drop a virtual bomb in its network.

The Colonial Pipeline ransomware attack was made possible with just one set of credentials. More recently, the ransomware and data theft attack on Planned Parenthood also seems to have started with a compromised account.

So how can enterprises limit the blast radius of a stolen identity?

Why AD is the key to identity attacks

Aside from unsophisticated “smash and grab” style data thefts and ransomware attacks, the initial credential theft is only the beginning. Cybercriminals seek to escalate their privileges before executing their attack so that they can maximize the impact and potential spoils.

Most firms now employ strategies like identity access management (IAM) and privileged access management (PAM) to authenticate user identities. But they must also look beyond this to protect the very mechanisms that govern identification.

The most important of these is Active Directory, the beating heart at the center of every organization that handles the bulk of its identity management processes.

AD is an essential asset for the attacker as they can query it to locate privileged accounts such as domain admins with the access levels needed to continue their escalation. The cybercriminal community has developed a multitude of techniques to access and exploit AD, including Golden Ticket attacks, Kerberoasting, and Windows Security Identifier (SID) history injection.

Compromising AD makes it far easier for the intruder to locate and access a powerful account such as a domain controller. At this point, the situation is dire indeed for the target organization, as the attacker gains practically unlimited access to critical data and systems, as well as the ability to erase their tracks to maintain persistence.

AD has also become a popular target for disruptive ransomware attacks. Encrypting AD causes tremendous disruption and increases the likelihood of the victim paying the ransom to restore access.

Diffusing the attacker’s bomb before it can go off

Most cybersecurity strategies are naturally defensive and, therefore, reactive. The traditional approach has been to set up as many layers of security as possible and hope that it is enough to stop an attacker or, at least, slow them down long enough to catch them before they cause too much damage.

Many firms that have suffered a breach believed they were doing everything right, with a good security team and multiple tools such as EDR focused on keeping intruders out. However, these defense layers were often bolted to the outside rather than applied to core business systems.

The rising volume and cost of breaches make it clear this reactive approach is no longer enough. Attackers are consistently able to exploit user identities to reach deep within the network and execute their strike at the time and place of their choosing.

So instead, organizations need to take the fight to the attackers. This strategy calls for a more proactive approach that seeks to disrupt the attacker’s toolkit and prevent them from executing their attack. It’s almost impossible to stop attackers from acquiring stolen credentials, but this is meaningless if identity misuse can be detected and stopped before the attacker can strike.

Protecting the mechanisms of identity

Deceptive tactics offer one effective way of disrupting the attacker and buying time for security teams to move in and diffuse their virtual bomb. Deception has become more widespread in recent years, often taking the form of lures placed within the network that mimic real files. These can resemble AD and other critical assets sought by attackers and have the dual purpose of both throwing them off the scent of the real thing and triggering a security alert.

Firms can also take things a step further by combining deceptive lures with a cloaking approach that hides the real assets from sight. Threat actors rely on automated tools like Bloodhound to sniff out targets such as AD for them, and they aren’t used to the idea of these toolkits failing them. They will have little idea they are going astray when their tools miss the hidden targets and get diverted by convincing decoys.

The key to success is detecting when credential theft and abuse occur. If organizations can recognize when certain identities access the network illegitimately, they can respond and stop the attack in its tracks. The sooner in the attack cycle this occurs, the smaller the blast radius will be.