Compromised Credentials - From Careless to Criminal

Credentials are double-edged sword. On the one hand, they are the necessary basis by which employees gain access to resources necessary to do their jobs. But, the flip-side is they also become the potential means by which a malicious insider or external threat actor gains the very same access to do harm.

The real threat here is obviously not when a user simply does their job; it’s when the credentials in question are compromised – whether leveraged by their assigned user, another employee, or an external attacker – and used for evil.

So, just how real is the compromised credential? And should it become compromised, how much risk does that pose to the organization?

The carelessness of your organization’s users

There are two parts of the compromised credential equation. The first is the carelessness of your organization’s users. Logging onto the corporate network becomes so routine, users often forget their username and password are sensitive pieces of information. And yet, despite this, 49% of employees share their credentials with fellow employees and 52% see no risk to their employer in doing so1. And these aren’t just low-level users with little access to sensitive information; these are users from legal, HR, IT, Finance, and more1.

To make matters worse, these shared sets of credentials very likely have far more access than needed. In a recent study, 71% of end users stated they frequently or very frequently have access to information they shouldn’t2, making most of your users potentially over-privileged to begin with.

Add this all up and you have an environment of users with too much access sharing that access with others – it’s a recipe for disaster.

The criminal actions of insiders and external threat actors

Misuse of privileges is the second most prevalent attack method found in successful data breach incidents3. Which brings us to the second part of the compromised credential equation: the criminal actions of insiders and external threat actors.

Insider threats (which make up approximately one-third of all data breaches3) certainly become far easier when you can leverage both your own and a fellow employee’s credentials to maliciously access valuable sensitive data.

Likewise, external attackers leverage the use of stolen credentials to gain footholds within an organization, establish persistence, laterally move within the network, and find valuable data to exfiltrate. External actors compromise credentials via malware designed to record keystrokes (remember all that password sharing going on?), making their task of gaining access to your valuable data even easier.

So, how can you identify when any part of the compromised credential equation occurs?

Watching your logons

It’s quite simple, really. It begins with watching your logons.

By auditing logons, you can spot password sharing (as indicated by the same user logging onto many machines or many simultaneous logons of the same account), potential insider threats (“Why is Sally logging in at 1am on a Thursday?”), and even external attackers (odd logon times, multiple logon attempts to servers, etc.).

Getting Your Credentials Under Control

Native Windows auditing can provide some of this detail, but logon audit events are stored on a per-system basis, making it a daunting task of seeing the logon “big picture”. Third-party solutions do exist that automate the centralized auditing of logons, while also providing additional notification of specific suspect events, as well as policy-based control over logons (e.g. system restrictions, concurrent logons, etc.).

By gaining visibility into your logons, you will have a better idea of just how much risk the organization faces daily. Understanding whether you have a problem is definitely making the first step. It’s only by also putting controls in place to limit the risk-inducing behavior that your organization will begin to improve its security stance and limit the potential for compromise.

1 IS Decisions, Insider Threat Persona Study (2017)
2 Ponemon, Corporate Data: A Protected Asset or a Ticking Time Bomb? (2014)
3 Verizon, Data Breach Investigations Report (2017)