Corporate account takeover attacks and prevention
Corporate account takeover is a form of identity theft, wherein an unauthorized entity steals and assumes an employee’s digital identity, to perform actions on behalf of that user, while remaining undetected. The popularity of corporate account takeover attacks lies in their afforded safeguards for bad actors. The stolen identity of a trusted entity makes compromise extremely difficult to detect, which delays response times. Additionally, attackers that assume a trusted identity also inherit the authorizations of that identity, exposing the sensitive information that the compromised employee has access to while facilitating the opportunity to escalate privileges and move laterally throughout the targeted environment.
Corporate account takeover attacks
Bad actors use these tactics to establish an initial foothold in the environment they’re targeting. By taking over an account, the attacker has an opportunity to act as that user, download sensitive information that the compromised account has access to, pivot to other systems, and elevate privileges.
The attacks discussed throughout this article have a few commonalities; they tend to exploit habitual human behavior and decision-making.
Have you ever received a phone call where you knew the individual on the other end was not authentic? How about an email with an attachment or link that was illegitimate? If you’re unable to answer “yes” to the proceeding questions, you’ve likely fallen victim to social engineering. This human-based attack vector exploits the decision-making process by influencing a person to act in a certain way. Often, these attacks require less time and effort than exploiting system vulnerabilities.
The truth is, many organizations are focused on preventing the adversary from exploiting software flaws and misconfigurations within their technical infrastructure, but what about flaws that fall outside the scope of technology? What about the trusted workforce that already has access to their network?
Phishing is a social engineering technique used by cyber adversaries wherein the attacker attempts to acquire sensitive information (e.g., user credentials) using fraudulent email communications that appear to originate from an authentic source. Attackers use phishing to take aim at unsuspecting victims using creative methods to disguise their communications.
Targeted phishing attacks have become more prevalent with the advent of social media. With the enormous amount of public information available on social media platforms, attackers can heavily customize phishing attempts to the victim’s interests and emotions, which increases the likelihood of exploitation. These heavily targeted attempts are known as spear phishing. These communications are tailored to the victim, keying on their interests and emotions to bate them into providing sensitive information or executing malicious code.
What can you find about yourself on the internet? Can you see your password on your social media account? How about in the “About” section of your Facebook page? People tend to formulate passwords that are easy for them to remember. Favorite food, favorite sport, favorite season, and maiden name are a few common examples that people use to model their password. Even complex passwords can be insecure, as people often dedicate the same password across multiple platforms. If one platform is compromised and the individual’s password is obtained, it can be used to authenticate elsewhere. For these reasons, single-factor password-based authentication tends to be weak and risky.
Brute force attacks
Brute force password attacks attempt to uncover a password by guessing all possible combinations. The time it takes to crack a password is largely dependent on the password’s complexity and predictability and the resources (e.g., computing power) at the attacker’s disposal. Malicious doers often perform preliminary intelligence gathering into their targets using public sources (e.g., social media accounts, business websites, etc.) to develop a list of dictionary words. They then use password cracking tools to automate guessing attempts based on the list of words, trying all possible combinations. This variant of brute force attack, known as a dictionary attack, assumes that the target uses some variation of dictionary word and can decrease the time and effort that it takes to successfully brute force a user’s password.
As previously stated, people tend to use the same password across multiple platforms. Why is this dangerous? Well, cyber breaches have become a common occurrence. Credential Stuffing attacks use the information obtained from previous breaches to inject username and password combinations to gain access to a target’s account.
Defining common mitigations
It is important to note here that there is no such thing as absolute security, and there will always be a residual risk. Let’s dive into some routine mitigations that reduce the likelihood and impact of a compromise.
Implementing the principle of least privilege
With today’s threat landscape, the realization of compromise should be assumed. This reality requires an increased focus on limiting the impact of cyber incidents. One way to limit this impact is to prioritize the principle of least privilege, where the focus is on supplying users and programs with the access needed to complete their assigned tasks, and nothing more. This supports the “never trust, always verify” vision of a Zero Trust Architecture.
In the context of corporate account takeover, an organization that implements the least privilege principle limits the authorizations awarded to a successful attacker, and reduces the attacker’s ability to move laterally within the environment.
Requiring awareness & training
As previously stated, attackers thrive on ordinary human behaviors. A few examples of common user habits are listed below:
- Leveraging the same password for multiple (or all) accounts.
- Storing passwords in clear text digital documents or writing passwords down.
- Clicking links within emails before verifying the sender of the email and authenticity of the link.
- Willingness to help others that are in need.
Awareness and training programs are critical in helping employees understand the techniques used by modern threat actors, thus changing these common behavioral patterns.
When it comes to passwords, training can only take you so far. A breached password detection service can find and prevent leaked passwords from being used in your environment. See how many Active Directory accounts are using pwned passwords with Specops Password Auditor (free tool!).
Applying a Defense-in-Depth Strategy
A Defense-in-Depth strategy applies security countermeasures using a layered approach. The focus is to stack protections that mitigate attacks not caught by a previous line of defense.
An organization that enforces Multi-Factor Authentication reduces the risk of credential compromise by layering the protection provided by a single-factor password (something you know) with an additional factor (e.g., something you have). If an employee’s credentials are compromised, the second authentication factor prevents the adversary from using the credentials because they do not have access to both authentication factors.
Sound security processes and employee awareness and training can help reduce the likelihood of attacker success, but compromise is only one unsuspecting user away. It is always best to assume that a breach will occur, so the additional focus should be on limiting the breach’s impact using a combination of least privilege implementation and a defense-in-depth strategy.
(Last updated on January 17, 2022)