Attivo Networks Blogs

Protecting Cloud Credentials

Written by: Vikram Navali, Senior Technical Product Manager – Credentials are critical when it comes to controlling user access, securing an organization’s infrastructure, and safeguarding its assets. Compromised user credentials often serve as an unnoticed entry point into the network. A closer look at how attackers are stealing credentials using a wide range of techniques, tactics, and procedures (TTPs) helps protect the organization’s information assets and mitigate an attack’s impact.

People use different kinds of credentials every day, such as username, password, cloud credentials like access keys, secret keys, session cookies, and digital certificates on websites, etc. However, all of them are vulnerable. Attackers use modern techniques to steal and use these kinds of credentials targeting critical assets. As the number of attack vectors increases, credential theft started to be more common. According to Verizon’s Data Breach Investigations Report 2020, over 80% of hacking-related breaches involved brute force or lost or stolen credential use. This points out the need for security professionals to understand credential exposures and to protect an organization’s identity as part of a defensive strategy.

Examining several standard techniques attackers use to steal credentials can reveal how ready an organization’s cyber-hygiene practices are equipped to understand, detect and prevent credential-based attacks.

Phishing is a technique where attackers exert tremendous effort into making illegitimate emails and websites look nearly identical to an organization’s legitimate ones. They then embed these malicious website links in emails sent to hapless users to trick them into providing their usernames and passwords. In many cases, phishing leads to a ransomware attack when the user mistakenly downloads an attachment or clicks on a malicious link that downloads and executes malware onto the system.

Brute-force attacks attempt to guess valid passwords to gain unauthorized access to a network. Attackers systematically check every possible combination of passwords until they find the correct ones.

Password spray attacks attempt to access many accounts (usernames) with several commonly used passwords.

Once attackers compromise an endpoint through phishing, they can obtain username and password using credential dumping or brute-force techniques. They then use these credentials to access restricted information, move laterally, and install any other malware.

To combat this, Attivo Networks provide extensive visibility into in-network attack activity across any attack surfaces, whether on-premises, in the cloud, or at remote locations. The Endpoint Detection Net (EDN) suite’s ThreatStrike component provides comprehensive detection for credential-based attacks that evade traditional anti-virus and other perimeter defense. The EDN ThreatPath component can also reduce the attack surface by identifying paths that an attacker would use to reach their targets, as well as local and shadow admin accounts on the endpoint.

With the advent of cloud deployment, an organization’s IT resources are geographically distributed. Organizations must provide seamless and secure access to any server infrastructure that moves from on-premises to the cloud. This fundamental shift in the IT landscape to the cloud poses a security threat to an organization’s resources.

As per the State of DevSecOps – Summer 2020 report, researchers noticed that some emerging cloud practices are creating exposures. Despite the availability of popular tools such as HashiCorp Vault and the AWS Key Management Service (KMS), they found hardcoded private keys in 72% of deployments. Specifically, one in two cloud deployments had unprotected credentials stored in container configuration files. Unauthorized users could use these keys and credentials to gain access to sensitive cloud resources.

The Attivo ThreatDefend platform gives customers the ability to deny, detect, and derail advanced threats in AWS, Azure, Google Cloud, OpenStack, and Oracle Cloud deployments.

Attackers can also activate backdoors to gain remote access and steal credentials, such as in the recent SolarWinds attack, where suspected nation-state actors planted a backdoor in the software updates for the SolarWinds Orion platform. Attackers compromised credentials through on-premises network intelligence and moved laterally. They also compromised SAML token keys to access the organization’s cloud applications and critical assets.

Compromised user credentials often serve as an entry point into an organization’s network and its information assets. It is a misconception that applying security policies for password length and complexity requirements will do enough to protect cloud credentials. Cybercriminals use a variety of methods to steal credentials. Detecting attempts to steal or reuse cloud credentials can rapidly reduce exploitation time. Organizations can reduce their risk to cloud resources by deploying the EDN ThreatStrike solution and creating cloud baits such as deceptive logins, access keys on the endpoints.

For additional information, please visit

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

20 − eighteen =

Ready to find out what’s lurking in your network?

Scroll to Top