It’s a fact of life: cyberattacks are an ever-present threat, constantly evolving and finding new ways to infiltrate our systems. One of the most alarming trends in recent years is the rise of cyberattacks using valid account credentials. These attacks, which leverage compromised or stolen login information, have proven to be highly effective in breaching organizations’ defenses, leading to devastating consequences such as data breaches and financial losses. So let’s take a look at valid account credential attacks, exploring the latest updates in cyberattacks and shedding light on the techniques employed by threat actors. By understanding this growing threat and implementing robust credential management practices, we can better safeguard our systems and protect against these insidious attacks.

How Prevalent are Valid Account Credential Attacks?

According to IBM X-Force’s Threat Intelligence Index, valid account compromises account for almost one-third of global cyberattacks in 2023, making it the fastest growing threat. The volume of valid account credential attacks increased by 71% year over year.

CISA, the Federal Government’s Cybersecurity & Infrastructure Security Agency, reports similar numbers. In their Fiscal Year 2022 Risk and Vulnerability Assessments dated June 2023, they report that 54% of all attacks studied were tied to valid credential use.

Clearly we have a problem that is being exploited. Poor credential management is making us more vulnerable than ever to cyberattacks.

Valid Login Credentials are Easier than ever to Obtain

So how are threat actors gaining these credentials? It’s our fault as users and administrators.

Users continue to be targeted with phishing attacks that can steal credentials. They’re also not trained to effectively manage passwords. In many ways, this is a problem of our own making. We’ve been forcing users into those strong passwords for years. They’re difficult to remember, so users often resort to re-using what would otherwise be considered a good password. The problem comes when an account somewhere becomes compromised in a data breach. All the sudden the hacker has a valid email and password combination that they can use to try attacking other systems.

Leadership and Network Administrators are opting more for convenience than current best practices

It’s not uncommon for business decision makers to make bad decisions regarding password policy. I can’t tell you how many times I’ve seen people decide to leave simple passwords and not enforce password rotation.

Network Administrators are often overloaded with work tasks, so reviewing and updating password policies is one of those things that often gets pushed into the realm of tasks to be addressed at some unscheduled date in the future. It’s easy to put it off indefinitely. If you really value network security, you either need to hire good IT staff and provide them adequate time and authority to manage your IT security posture, or you need to hire a network security partner to take on the task for you.

The Commercialization of Account Credentials

And while the cyberthreat industry continues to evolve, we’re seeing hacker marketplaces that will sell user credentials for a fee. Account logins are easier than ever to obtain and exploit. Many threat actors have assumed the roll of data broker, selling compromised account data to anybody willing to buy them. This requires much less effort than using the credentials to launch their own attacks.

Best Practices to Avoid Falling Victim to Valid Account Attacks

Modern problems require modern solutions, as the meme says. So I’d like to make mention of some things that we can do as IT Professionals and Business Leaders to minimize this attack vector on our networks.

Create a Security Awareness Training program

Teaching network users is the best way to thwart common attacks. Many users have difficulty spotting Phishing attacks. Most don’t know what smishing is. A security awareness training program can help minimize the chances of credentials being stolen in the first place.

Implement Password Rotations

Nobody likes learning a new password, even if it’s just increasing the number at the end (lol). But this is really important. Once your password changes, the valid account attack will not be successful. Three months is generally accepted as a best practice. You should also force a password rotation on all accounts in the event that a user’s credentials are compromised. You likely don’t know the exact method used to gain a successful login.

Implement Multi-Factor Authentication

MFA relies on two elements to authenticate a login request – something you know (the username and password) and something you have (the phone, authenticator app, USB key, etc). While highly sophisticated attacks can clone SIM cards, most threat actors aren’t this sophisticated. Even if account credentials are stolen, without that 6 digit PIN access will not be granted.

Personally, I’m a huge fan of Authy as an authentication App, as it allows cloud syncing across devices. But chances are your cloud service provider also offers a solution, like Google Authenticator or Microsoft Authenticator.

Audit Login Credentials

If your organization doesn’t enforce strong passwords and you want to know the extent of this problem, you can use KnowBe4’s Weak Password Test Tool to get a baseline assessment. This can often be used to spot conveniently created system accounts or generate the data necessary to get C-level buy in to change up password management.

You should also look for old accounts that aren’t being used. Old employee accounts come to mind, as well as old service accounts. Your offboarding process should inform IT of employee separations and IT should be revoking access as a high priority task. Require confirmation to HR before the offboarding matter is considered closed.

Allow Users to use a Password Manager

By making strong passwords easier to use, we can help users better secure their credentials. LastPass is well known in this space (though they have had security breaches in the past). BitWarden is an open source alternative that your organization can self-host. There are many other password solutions out there, as well.

Secure Administrator Accounts

Many organizations don’t follow best practices here. Namely, you should:

• Create an administrator account unique to each user.
• Limit the use of admin accounts to only the times you need that power.
• Use the concept of Least Privilege when granting access.
• Segment access between your local network and cloud services, like Microsoft Azure.

Conclusion

Cybersecurity industry data is useful to show how cyberattacks are evolving over time. Hopefully this post helps you to recognize the increasing threat of valid account attacks and provides some strategies that you can implement to minimize your attack surface to these types of attacks.