Future of Credential Theft

Josh Raduka, Senior Consultant, SecureITsource, Inc.

Over the past few years, we have seen countless organizations suffer from cyber-attacks that led to headline breaking data breaches. The majority of organizations, ranging from all areas of the spectrum including financial and healthcare, to government and retail, fell victim to the breaches and leaks via weak or stolen credentials. According to Verizon’s Data Breach Investigation Report (2017), the percentage of credential abuse jumped from 63% in 2016 to a staggering 81% in 2017, with privilege misuse representing 96% of all data breaches. The different types of credential abuse consisted of a variety of attack methods including malware and social engineering techniques. Now in March of 2018, what paths will credential attacks go down?

The Questions:

While there is no doubt credential abuse will continue to rise, the questions posed here are:

What is the future of the credential theft?

Will the targets of the attacks change?”

The Answers:

As organizations continue the migration towards a hybrid cloud / DevOps style of environment, privileged credentials will remain the target of the attacks, but the identity landscape is one place where we are beginning to see new formations. New formations translate to an increased attack surface attractive to the eye of the lurking attacker. Security teams across all organizations must adapt and be equipped to deal with trusting the “what” as well as the “who”. Identities originating into the environment include the identity of the machine, container, application, system, or even micro service.   Take said machine identity, instead of an attacker leveraging a privileged credential owned by a human as a member of the Domain Admins group, an attacker can disguise themselves as a machine to keep a low profile. That machine could be responsible for committing code for a critical security policy or source code of a home grown application to an automation server. Compromise that machine and now they have a ticket into your Continuous Integration Continuous Delivery (CI\CD) pipeline allowing them to inject their own malicious bit of code, steal IP, or wreak havoc across your environment. Perhaps a user’s account would have triggered alarms but since the machine has more range this would go unnoticed. All identities should be treated equally and given the necessary security controls for detecting and preventing theft. Machine learning is one preventative method that could help stop these attacks.

Another area with an increasing attack surface is keys. Not just SSH keys, but API keys andaccess keys. As CyberArk states, these keys can be considered “keys to the cloud kingdom” and they are spinning up all over the DevOps pipeline with access to all sorts of cloud resources. Amazon, Google, and Azure all possess a similar type of key. Improper management of these privileged keys is prime real estate for an attacker. Orchestration tools, scripts, and processes often have these keys embedded and are not rotated due to the risk of outage, a speed bump in pipeline, or plain and simple neglect. The manual creation, rotation, and distribution of keys is challenging so automation is vital for organizations to manage keys securely and accurately to eliminate the human error factor. It is also a must to keep up with the speed of the CI/CD pipeline.  As an example of an attack in which a key was leveraged, was the OneLogin breach back in May of 2017. An attacker gained unauthorized access to a set of API keys which opened up the gates to the AWS API in which customer data was stolen. Security teams need to ensure embedded API keys are not an option for developers and scripters, but instead, store and retrieve the keys in a secure fashion with solutions like CyberArk Conjur or the EPV.

The final future trend for credential falls under what is known as Security as a Target (S.a.a.T). It is S.a.aT where security personal, security controls, and services are used to compromise an organization’s network. Security services such as authentication, like SSO and two-factor, will increasingly be in the spot light of attacks if they do not evolve defensively. Plenty of popular attacks are known to target Kerberos authentication. A compromise of the authentication service could easily transform into an attacker’s dream causing a complete catastrophe for identities, and in an environment where identities are multiplying, this becomes a real threat. For a potential win on the defensive side, blockchain authentication could be widely introduced as a key player into the ball field. After all, it offers the promise of a trusted record where the transaction cannot be modified and improved privacy. Big players like IBM and Microsoft have already started to dabble with blockchain so there is chance it will catch on at larger scale. However, many are still skeptical that IDM will get a full taste of the blockchain, but we can only wait and see what the future holds!