Mitigating the rise of Credential Theft attacks
Attivo Networks Blogs

Mitigating the rise of Credential Theft attacks

By Carolyn Crandall, Chief Security Advocate, Attivo Networks.

Credentials allow attackers to get an initial beachhead in the network. What happens next will decide whether a small incursion turns into a crisis.

Even with password policies and phishing education, stolen credentials are abundant, cheap, and easy to buy on the dark web. If an attacker wants to target a big organisation, it is almost inevitable that they can secure a password or some other weak identifier that allows them to gain initial access.

Having the appropriate Identity Exposure Visibility (IVE) and Identity Detection and Response (IDR) solutions in place can stop an identity-based attack by reducing the attack surface and denying the adversary access to resources they need to extend their attack. To reduce the blast radius of credential-based attacks, organisations must understand exposures and prevent privilege escalation so that a ransomware event or threat actor intrusion does as little damage as possible.

Credential risk

We know attacks are inevitable, which is why the tried-and-tested “assume breach” security stance is not about to go out of fashion any time soon. Unfortunately, adversaries are going to get into the network eventually. They are likely already there.

According to the Verizon Data Breach Investigations Report, the initial intrusion is likely to be enabled by stolen credentials – which factored in 61% of breaches in 2021. It is easy to foresee this percentage getting even higher because the threat stolen credentials pose has increased due to the exponential growth of cloud migration and a corresponding rise in both human and non-human identities.

The widespread shift to remote working, a rapid pace of cloud migration, and the increasing adoption of DevOps practices have caused a further increase in the risk posed by credentials. To tackle this growing threat, organisations should safeguard credentials and systems like Active Directory, an authoritative credential store, to curtail the attacker’s ability to obtain excessive rights or privileges needed to move across domains.

Attacking Activity Directory

When an endpoint is first compromised, attackers follow a predictable path. They typically look for more credentials, particularly those allowing them to assume identities with greater privileges and access and look for opportunities to move laterally. They strike at Active Directory, which is the spinal cord of approximately 90% of Global Fortune 1000 companies and involved in 90% of attacks, according to Mandiant.

Microsoft’s statistics show that 500 million active account users use AD, with 10 billion daily authentications. An estimated 95 million of those accounts are under attack every day.

With Active Directory handling the bulk of an organization’s identity management processes, AD is an essential asset for the attacker to exploit. If they can query it, they can locate privileged accounts such as domain admins with the access levels needed to continue their escalation.

Detecting this activity is also not easy since there are many techniques to access and exploit AD, including Golden Ticket attacks, Kerberoasting, and Windows Security Identifier (SID) history injection.

Stopping the attack during its early stages of AD enumeration or reconnaissance will reduce the blast radius dramatically and reduce the remediation efforts since they will not have had the time or power to install backdoors or change security policy settings.

Containing the blast

To tackle credential-based attacks, organisations should follow good security practices such as zero-trust and roll out multi-factor authentication, rather than relying on inherently insecure single-factor protections such as passwords. IDR contains the tools organisations need to defend against credential-based attacks.

It is a relatively new segment adjacent to Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), focusing on protecting credentials, privileges, cloud entitlements, and the systems that manage them. IDR offers the ability to detect when attackers exploit, misuse, or steal enterprise credentials.

Also, IDR offers an additional layer of protection with decoys, concealment, and misdirection’s. Hiding real credentials, Active Directory objects, and critical data while seeding fake data at endpoints or other key locations in the network steers attackers away from product assets and into decoys. Once engaged, the decoy systems analyse their behaviour, providing intel to inform future responses.

Identity security platforms can also help organisations manage their attack surface by providing visibility of critical vulnerabilities such as credentials stored at endpoints or AD misconfigurations that allow attackers to extract data.  They can also identify overly permissive entitlements within cloud environments that enable intruders to access sensitive data.  

The functionalities offered by an IDR solution provide effective countermeasures against credential-based attacks and can be a vital part of an organisation’s defences. Credentials are easy to buy or steal through phishing and exploiting other human weaknesses. Taking an assumed breach posture and making the correct preparations to protect against identity-based attacks can limit the damage caused by a credential-based attack and minimize the blast radius.

Read the original article on Teiss.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Ready to find out what’s lurking in your network?

Scroll to Top