When it comes to cybercrime, there are few tactics as useful and widespread as credential theft and the use of stolen credentials. In the 2023 breach of password management giant Okta, it was a set of credentials that jumpstarted the incident — threat actors hacked into an employee’s personal Google account, where they found an Okta customer service account had also been saved.
And that kind of incident isn’t an isolated occurrence. Use of stolen credentials was named the top attack action, seen in 24% of incidents, according to the 2024 Verizon Data Breach Investigations Report, and “use of previously compromised credentials” was listed as the root cause for 7.3% of Arctic Wolf Incident Response engagements in 2023. Looking at cost, according to IBM, the average cost of a breach utilizing stolen credentials was $4.65 million.
It’s clear that credentials are becoming a favorite tool in the toolbox for threat actors, and there’s a whole lot of value in stealing them and then reselling them or using them to perpetuate cybercrime.
What Is Credential Theft?
Credential theft is the stealing of passwords, usernames, or other information that allows for access to networks, applications, assets, or accounts. Also called credential harvesting or credential compromise, credential theft is done by cybercriminals looking to launch a cyber attack, move deeper into a system once an attack has begun, or complete an attack by stealing money through account access. Credential theft can also occur during a ransomware attack as a form of data exfiltration, with cybercriminals holding the credentials for ransom or choosing to sell or expose them on the dark web.
How Credentials Are Stolen
Credential theft happens in a number of ways. Social engineering is a common tactic for this, and the two are often intertwined when it comes to cyber attacks. A threat actor could use a phishing technique on an employee with privileged access within an organization — posing, say, as a member of the IT team who needs credentials for an update. The employee then willingly hands over the credentials, none the wiser. That’s exactly what happened with the massive MGM breach in the summer of 2023.
Other ways credential theft occurs includes:
- A third-party application that contains valuable credentials, like LastPass, is breached
- A brute-force attack, where a threat actor uses trial and error to obtain a correct login
- A credential stuffing attack, when use of stolen passwords from one site are put into another site by threat actors, as was the case with the 23andMe attack in 2023
- Man-in-the-middle attacks, where threat actors intercept credentials as they’re put into an application
- Threat actors finding and exfiltrating credentials during a cyber attack on an organization
- A hack into Active Directory, which often stores credentials for entire organizations
- A keylogging attack, where malware records keystrokes made on an endpoint, letting threat actors record credential entries
While some of these attacks are simple and others more technical, social engineering continues to be a favorite option for threat actors because it’s easy to execute and often works. According to the 2024 Verizon Data Breach Investigations Report, 68% of breaches last year involved the human element. Additionally, many users have simple and/or reused passwords or usernames for every login, making brute-force and credential stuffing attacks a viable option for threat actors.
How Are Stolen Credentials Used In Cyber Attacks?
While stolen credentials are often identified as an early attack vector or the root point of compromise, the truth is this data can be used at any stage in an attack. As mentioned above, a breach could begin with a massive social engineering campaign, even one that originates from a business email compromise (BEC) attack, and then the harvested credentials are used by threat actors to move deeper into the network and escalate the breach, often evading security as they are now mimicking a known user.
Additionally, in a ransomware attack, threat actors could use stolen credentials to access the specific application or asset they want to encrypt and hold for ransom. Or the credentials stolen can be used to login to an account of a user the threat actor knows has privileged access. Credentials can also be held for ransom themselves and exfiltrated as part of a double-extortion technique.
The username and password become a powerful tool in the cybercriminal’s toolbox, capable of picking locks as needed.
How To Prevent Credential Theft
Preventing credential theft is more complex than just adding a couple of numbers to your password or making sure it isn’t “pass123.” For organizations with hundreds or thousands of users, staying on top of credential protection can be an overwhelming task. Especially if those users are not security-minded and are utilizing personal accounts on a company device or using a work email address for personal accounts. And this protection extends beyond identity. If an organization is not staying on top of vulnerability management, for example, a threat actor could use a known vulnerability to hack into their Active Directory, granting them access to a myriad of legitimate credentials.
As organizations digitize, rely more heavily on web-based applications, and turn to hybrid or remote work models, protecting credentials becomes a crucial part of a strong cybersecurity strategy. There are proactive and reactive steps a security team can take to make sure their most critical assets are secure and ensure that stolen credentials are not a vector threat actors can use on them.
1. Employ multi-factor authentication (MFA) and a zero trust strategy
It may seem obvious to employ MFA to prevent brute-force, credential stuffing, or the use of stolen credentials in an attack, but 58% of BEC attacks Arctic Wolf saw in 2022 lacked MFA. Additionally, according to the Arctic Wolf’s State of Cybersecurity: 2024 Trends Report, only 43% of organizations who suffered a ransomware attack had MFA in place.
Not only can this extra layer of access protection stop a threat actor from gaining access, the unusual login attempt, if monitored, can serve as an early detection for your security team that an incident may be in progress.
The same strategy applies to zero trust, which, as an operating principle, removes all implicit trust. If a user doesn’t have automatic access, a threat actor can’t use stolen credentials to gain access. Password protection is key to preventing credential theft.
2. Implement and enforce identity and access management (IAM) strategies
If your organization isn’t governing user access, controlling that access, and monitoring it, it becomes significantly easier for threat actors to steal credentials and use them for lateral movement and more. By implementing, and enforcing tenants of IAM, which, yes, does include both MFA and zero trust, your organization is building a secure framework for identities and credentials to exist in, hopefully keeping them out of threat actors’ hands.
In tandem with IAM, organizations should adhere to identity detection and response (ITDR), a discipline that combines threat intelligence, identity best practices, tools, and processes to secure identity systems. ITDR is a massive part of IAM and shouldn’t be overlooked as your organization strategizes and implements identity protection.
3. Conduct comprehensive employee security training
Because credential theft and social engineering tactics like phishing are so connected, making sure your employees are properly trained against these threats can make a major difference. Human risk expands as organizations digitize, and while these users are top targets for credential harvesting, they can also be the first line of defense if security training is conducted regularly, with relevant, up-to-date content. Security awareness training should be one component of your human risk management strategy and should work to both reduce risk while building a stronger security culture.
4. Utilize monitoring to detect credential theft during an incident
Utilizing 24×7, real-time monitoring — like the kind offered by a managed detection and response (MDR) solution — can be the difference between halted suspicious activity and a major incident when credentials are stolen.
If various applications and the network are monitored, security engineers will be alerted to credential stuffing attempts, brute-force attacks, credentials being utilized at odd hours or from an unknown geographical location, or when the user is performing suspicious tasks.
Arctic Wolf® Managed Detection and Response is specifically configured to monitor identity sources, so it can detect unusual user behavior, alerting organizations to potential theft or a credential-based attack.
5. Conduct Dark Web Monitoring
When credentials are stolen, it’s common that they will end up on the dark web for other threat actors to utilize in future attacks. Currently, there are over 20 billion username and password combinations on the dark web, and that volume has increased 65% since 2020.
Learn more about the top attack vectors utilized by threat actors.
Explore the current cybercrime landscape in-depth with our Arctic Wolf Labs 2024 Threat Report.
See how Arctic Wolf and Mimecast work together to prevent phishing, BEC attacks, and other email-based attacks that can lead to credential theft.
