Industry Insights

Compromised Account Attacks Are Growing — Here’s What You Can Do

7 min Read

Christian Wimpelmann

Compromised user accounts have always been the most significant — and simplest — cybersecurity risk in the enterprise. Or, as Verizon put it in the 2021 Data Breach Investigations Report, “Credentials are the glazed donut of data types.” The 2021 DBIR showed that about half of all data breaches in 2020 involved hacking — and more than 80% of those hacking breaches stemmed from compromised (lost or stolen) credentials. That likely isn’t shocking. After all, the easiest way to “get in” to a system or access valuable data or assets is to have the “key” provided by legitimate user credentials. But here’s the part that is alarming: The incidence of compromised credentials and compromised user accounts is on the rise.

Compromised credentials more common in post-pandemic era

Since the start of the pandemic, compromised user accounts and other compromised credentials have risen by 55%. In fact, compromised credentials are now the most common source of cyberattack that organizations are facing.

What’s behind the rise in compromised accounts? Employees are a startling 85% more likely to leak or lose data than they were pre-pandemic. And as Verizon noted, one of the most popular data types for cybercriminals to gobble up is credentials. As organizations went full-gas on digital transformation to adapt to pandemic restrictions, they rapidly shifted to remote, flexible, and hybrid work models — and opened policies around things like BYOD, cloud-based apps for productivity and sharing, and more. In the post-pandemic era, this all adds up to a much broader digital landscape — or threatscape. More accounts and more user credentials. More remote and off-network activity. And less visibility and control for IT and security teams. Take this stat, for example: one-third of companies don’t require remote workers to use any kind of authentication — and of the two-thirds that do require authentication, only 1 in 3 require multi-factor authentication. That’s a lot of completely unsecured devices and accounts.

Types of credential theft

There are countless varieties of attacks, schemes, and plots to harvest compromised credentials. But most can be broken into three categories:

  • Brute Force Attacks: A brute force attack entails the systematic checking or guessing of the password for a targeted account. The attacker generally uses sophisticated algorithms to test all possible combinations until the correct one is found. One in four U.S. security pros say their organization has been the target of a brute force attack.
  • Credential Stuffing: Thanks to increasing data breaches over the past several years, there are now immense troves of compromised credentials available for purchase on the dark web — often for pennies apiece. In a credential stuffing attack, a cyber criminal purchases compromised credentials — and then “stuffs” these credentials into login pages of systems, networks and apps until they stumble into a compromised user account. This is also referred to as credential recycling, as it essentially uses the compromised credentials stolen in a previous (typically brute force) attack. The 2021 Verizon DBIR found that 23% of organizations monitored had experienced a credential stuffing attack.
  • Social Engineering (Phishing): Even more common than guessing passwords or buying compromised credentials is using creative social engineering schemes like phishing to steal credentials. According to a recent study, 2 in 3 organizations experienced a phishing attack in the last year. Verizon says phishing attacks went up 11% over the last year. And more than half of successful phishing attacks ultimately lead to compromised user accounts or other compromised credentials.

How can you prevent compromised credentials?

1. Implement a strong password policy.

The first step in mitigating the risk of compromised credentials is simply to make the credentials themselves harder to compromise. That means developing and enforcing a strong password policy that requires all users to follow established best practices for creating — and regularly changing — strong passwords, as well as ensuring passwords are not reused across devices, apps, or other accounts.

2. Train your users.

Compromised credentials and compromised user accounts fall under the umbrella of insider risk, and insider risk is a people problem. One of the most effective ways to solve people’s problems is to talk to your people. Yet the vast majority (73%) of workers say their organizations haven’t provided any additional cybersecurity training since the pandemic dramatically changed where, when, and how they work. Providing regular education around best practices for password management and things like how to recognize and avoid phishing schemes can go a long way.

3. Use a password manager.

One of the easiest ways to help your users maintain strong passwords is to use a password manager. These tools are ubiquitous and increasingly economical and user-friendly. But the two things to remember here are 1) make sure the password manager itself is secure and well-protected against hacking, and 2) make sure users take advantage of the auto-generate feature, available in just about every password manager today, that generates passwords (and remembers them) with much deeper complexity and randomness than a human ever could.

4. Use Multi-Factor Authentication (MFA).

MFA can easily stop an attacker dead in their tracks. They may have compromised credentials, but they almost certainly won’t have access to the secondary (or tertiary) form of identity verification (like a one-time passcode sent to the legitimate user’s mobile device). Microsoft estimates that 99.9% of compromised user accounts could be prevented with MFA.

5. Focus on privileged accounts.

The ultimate goal of compromised credential attacks is to gain access to valuable data or assets, so it’s not surprising that high-ranking employees and others with privileged access are the biggest targets. The solution is two-fold: First, focus on auditing access privileges. A 2020 report found that half of organizations have users with more access privileges than are necessary to do their jobs. Second, step up access management protocols for your (now audited) privileged accounts. Only a third of organizations use multi-factor authentication to secure their privileged accounts.

How to spot credential theft faster — before the damage is done

Like other forms of insider threat and insider risk, compromised credentials ultimately stem from human-factor issues: poor password hygiene, falling for phishing schemes, etc. The upside is that small changes can make significant impacts on human-factor risks; the downside is that humans will always be imperfect (and cyber criminals are incredibly efficient at exploiting user mistakes) so compromised user accounts can’t be entirely prevented. So, while investing time and budget in prevention is certainly worth it, it’s also critical to invest in strategies for detecting the anomalies and abnormalities that signal compromised accounts — and investigating and responding quickly and effectively.

  • Make sure you have endpoint visibility — remote, in the cloud, on and off the network

The first smoke signals of compromised credentials often come on users’ endpoint devices. So, security teams need to have endpoint visibility — extending to both on and off-network activity, since remote and flexible work models mean users are increasingly working off the VPN. If you haven’t already, automating endpoint inventory management is the first step to gaining that visibility. You should also have visibility into activity on the web and in the cloud since web- and cloud-hosted email is now the norm in many organizations.

  • Set a baseline for “normal” — so you can get a clear signal of real risk

If you can see all user and file activity, including on endpoints, on the web, and in the cloud, it’s much easier to answer the question, “What does normal look like?” This baseline helps you tune out the noise of everyday activity — all the file and data movement that defines the modern collaboration culture — and more quickly and accurately recognize when user behaviors fall outside of the norms. In short, when you start seeing users accessing, moving, renaming, or sharing files in ways or at times that don’t fit the pattern, you’ve got a high-fidelity signal of risk that you know requires an immediate closer look.

  • Accelerate your investigation and response — mitigate the damage

The same deep contextual visibility into all user and file activity is a powerful fuel to accelerate your investigation and response to potentially compromised user accounts. Security teams can rapidly dig into contextual information around file and data movement to identify which user accounts were impacted, which systems or assets were accessed, and what data or files were affected — right down to seeing when and where this valuable data moved. The thorough investigation drives a rapid, right-sized response — whether that’s locking down accounts or devices, taking proactive legal action to protect the company, or referring the incident to authorities for a response. Moreover, the immediate, deep, contextual visibility cuts the time from “detecting compromised credentials” to “neutralizing the threat,” helping to mitigate and minimize the damage from a successfully compromised user account.

Learn more about how Code42 Incydr can help you detect compromised credentials and protect against data loss from compromised user accounts.

Christian Wimpelmann

Christian Wimpelmann, CISSP, CCSP is an IAM Manager at Code42, focused on identity strategy and implementation. Christian spent the first 14 years of his career at Target Corporation, building and maintaining identity management and directory platforms.