When it comes to attack vectors, there are few as useful and widespread as credential theft. Verizon listed it as a top vector in their 2023 Data Breach Investigations Report, and Arctic Wolf Labs saw “historic compromise” as the root point of compromise for 7.3% of all breaches in 2023. According to IBM, stolen credentials accounted for 15% of breaches in 2022, and the average cost of a breach utilizing stolen credentials was $4.65 million.
This is clearly a problem that extends beyond not updating your email password.
What Is Credential Theft?
Credential theft is the stealing of passwords, usernames, or other information that allows for access to networks, applications, assets, or accounts. Also called credential harvesting or credential compromise, credential theft is done by cybercriminals looking to launch a cyber attack, move deeper into a system once an attack has begun, or complete an attack by stealing money through account access.
How Credentials Are Stolen
Credential theft happens in a number of ways. Social engineering is a common tactic for this, and the two are often intertwined when it comes to cyber attacks. A threat actor could use a phishing technique on an employee with privileged access within an organization — posing, say, as a member of the IT team who needs credentials for an update. The employee then willingly hands over the credentials, none the wiser.
A different scenario is that an organization which stores identifying information, including possible usernames and passwords, is breached and the data is exfiltrated and posted on the dark web. That information could then be taken by another threat actor and used in a separate attack on a different organization entirely.
Another way credential theft occurs is through brute-force attacks and credential stuffing. Similar to credential theft-based attacks, brute-force attacks occur when a threat actor uses trial and error to obtain a correct login. Credential stuffing, the use of stolen passwords from one site for another site, is a common method in these attacks.
Unfortunately, too many users don’t have unique and complex passwords or usernames for every login, instead choosing to use the same pair over and over. This was the case in a 2022 attack where cybercriminals used stolen usernames and passwords from other breaches to hack into General Motors.
How Are Stolen Credentials Used In Cyber Attacks?
While stolen credentials are often identified as an early attack vector or the root point of compromise, the truth is this data can be used at any stage in an attack. As mentioned above, a breach could begin with a massive social engineering campaign, even one that originates from a business email compromise (BEC) attack, and then the harvested credentials are used by threat actors to move deeper into the network and escalate the breach.
In a ransomware attack, for example, threat actors could use stolen credentials to access the specific application or asset they want to encrypt and hold for ransom. Or the credentials stolen can be used to login to an account of a user the threat actor knows has privileged access.
The username and password become a tool in the cybercriminal’s toolbox, capable of picking locks as needed.
How To Prevent Credential Theft
Preventing credential theft is more complex than just adding a couple of numbers to your password or making sure it isn’t “pass123.” For organizations with hundreds or thousands of users, staying on top of credential protection can be an overwhelming task. Especially if those users are not security-minded and are utilizing personal accounts on a company device or using a work email address for personal accounts.
But there are proactive and reactive steps a security team can take to make sure their most critical assets are secure and ensure that stolen credentials are not a vector threat actors can use on them.
1. Employ Multi-Factor Authentication (MFA) and a Zero Trust Strategy
It may seem obvious to employ MFA to prevent brute-force, credential stuffing, or the use of stolen credentials in an attack, but 58% of BEC attacks Arctic Wolf saw in 2022 lacked MFA. Not only can this extra layer of access protection stop a threat actor from gaining access, the unusual login attempt, if monitored, can serve as an early detection for your security team that an incident may be in progress.
The same strategy applies to Zero Trust, which removes all implicit trust. If a user doesn’t have automatic access, a threat actor can’t use stolen credentials to gain access. Password protection is key to preventing credential theft.
2. Conduct Comprehensive Employee Security Training
Because credential theft and social engineering tactics like phishing are so connected, making sure your employees are properly trained against these threats can make a major difference. Users are top targets for credential harvesting, but they can also be the first line of defense if security training is conducted regularly, with relevant, up-to-date content.
3. Utilize Monitoring to Detect Credential Theft During an Incident
Utilizing 24×7, real-time monitoring — like the kind offered by a managed detection and response solution — can be the difference between halted suspicious activity and a major incident when credentials are stolen.
If various applications and the network are monitored, security engineers will be alerted to credential stuffing attempts, brute-force attacks, credentials being utilized at odd hours or from an unknown geographical location, or when the user is performing suspicious tasks.
4. Conduct Dark Web Monitoring
When credentials are stolen, it’s common that they will end up on the dark web for other threat actors to utilize in future attacks. Currently, there are over 20 billion username and password combinations on the dark web, and that volume has increased 65% since 2020.
Learn more about the top attack vectors utilized by threat actors.
Explore the current cybercrime landscape in-depth with our Arctic Wolf Labs 2023 Threats Report.
