Phishing prevention and education is a top priority across the globe. Consequently, security teams and organisations are constantly working to upgrade their systems and provide better protection to their networks.

However, the ‘threat actors’ are also constantly developing new techniques. There is a whole dark market associated with the threat landscape that is automated, scalable and profitable. Developing new threats takes time and expense and so those looking to get around network security measures often target the weakest link in the security chain – the user.

The theft and use of stolen passwords is one of the oldest attacks in the book. And yet it remains highly effective. Because with stolen credentials, an adversary can bypass the entire attack lifecycle by impersonating a valid user. And as a result, move uninterrupted throughout the organisation’s network and shift to the abuse of credentials from within.

Instead of finding and exploiting a specific vulnerability in a networked system, or developing a new malware, it’s faster, cheaper and far easier to steal a password from a user. With stolen credentials in hand, the attacker can move laterally inside the organisation and no longer appears as an anomaly. They operate as a known user and outside the traditional threat protections aimed at stopping intruders.

How Attackers Steal Credentials

The first step toward preventing credential theft is to understand how it happens. Credential based attacks are composed of two main parts – obtaining the credentials and then using those credentials to authenticate inside the organisation.

• Social engineering
  Designed to deceive users into divulging personal information, this typically occurs over email or through fake social media profiles. Attackers are relying on human reaction based on emotions and the emails are usually crafted to trigger fear, greed, etc.
• Credential phishing and spam
  An email is used to lure the recipient into logging into a fake account. The malicious link leads to a website that looks like the real website and can even have a similar URL.
• Reusing stolen passwords or shared credentials
  For those who lack the time for or interest in stealing credentials on their own, there’s a booming business buying and selling them online. Credentials are priced by their potential profitability in underground forums and are often sold in bulk. In addition, it’s becoming more common for hackers to simply post stolen credentials to the internet for anyone to use.
• Brute force
  Attackers rely on the fact that many people and organisations use weak passwords and can often use off-line brute force attacks to crack the credentials.
• Security question reuse
  Human nature means we often re-use the same security questions. So, something that was designed as a second layer of protection can often be replicated. The answers are also often something that can be found online or ‘brute forced’.

What’s wrong with traditional approaches?

Traditional approaches to stop credential phishing rely only on classifying the phishing site before the user encounters it. So, if the organisation’s security products miss a new phishing site, there is nothing to stop the user entering their credentials.

Palo Alto Networks Next Generation firewall PAN-OS 8.0 neutralises credential theft by providing prevention capabilities across the attack lifecycle to stop the theft and subsequent abuse of stolen credentials. The platform identifies and prevents attempts to steal credentials by stopping the submission of valid corporate credentials to illegitimate websites, and neutralises an attacker’s ability to use stolen credentials for lateral movement and network compromise by enforcing authentication policies at the network layer.

Defending against cyberattacks is tough, especially when attackers pose as authenticated users on your network. Preventing credential-based attacks is not the struggle of tomorrow, it is the struggle of today.

Learn more about how you can prevent this in your organisation: