How education and technology can stop hackers stealing corporate credentials

By Dave Prezzano, UK & Ireland Managing Director at HP Inc.

  • 2 years ago Posted in

Spending on corporate cybersecurity measures is on the rise as cyber-attacks wreak havoc on businesses. In the UK alone, cybercrime is costing the economy nearly £27 billion per year, while 83% have reported phishing attempts.

 

Why are attackers having success? An unholy trinity of static passwords, user error and phishing attacks continues to undermine efforts to secure data. Easy access to credentials gives threat actors a huge advantage. And user training alone cannot reset the balance – user education, and a robust approach to credential management is needed, with layers of protection to ensure credentials don’t fall into the wrong hands.

 

Challenges with passwords

Nearly half of all reported breaches during the first half of this year involved stolen credentials. Once obtained, threat actors can exploit them to deploy malware, spread ransomware or move laterally through corporate networks by impersonating genuine users. Extortion, data theft, intelligence collection, and business email compromise (BEC) are some activities that attackers could facilitate, with potentially severe financial and reputational ramifications.

 

It's perhaps unsurprising to hear that the cybercrime underground is awash with stolen credentials. In fact, research reveals that 24 billion were in circulation in 2021, which is a 65% increase on 2020. So why is this? One reason is poor password management. If a password can’t be guessed or cracked, logins can be phished individually from users, or stolen. The common practice of password reuse means these credential hauls can be fed into automated software to unlock additional accounts across the web, in credential stuffing attacks. Once in the hands of the hackers, they’re quickly put to work. According to one study, cybercriminals accessed nearly a quarter (23%) of accounts immediately post-compromise—most likely via automated tools designed to rapidly validate the legitimacy of the stolen credential.

 

User education is not a solution

Phishing is becoming increasingly sophisticated and poses a severe threat to businesses. Some attempts look so genuine that even a seasoned practitioner would have problems detecting them, unlike the error-filled spam of the past. Corporate typefaces and logos are faithfully reproduced.  Domains may utilise typo-squatting to appear at first glance identical to the legitimate ones. They might even use internationalised domain names (IDNs) to mimic legitimate domains by substituting letters from the Roman alphabet with lookalikes from non-Latin alphabets. This allows scammers to register phishing domains that appear identical to the original.

 

The same is true for the phishing websites that fraudsters lead workers to. These pages are intended to come across as credible. The URLs frequently use the same strategies as those described above, like substituting letters. They also copy fonts and logos. These tactics mean phishing pages appear to be the “real deal”. To deceive users, some login sites even display phoney URL bars that display a legitimate website address. This is why you can’t expect employees to know which sites are real, and which are trying to trick you into submitting corporate credentials.

 

As a result, user awareness programmes must be updated to account for evolving phishing tactics and those risks associated with hybrid working. A culture where reporting attempted scams is encouraged is crucial, as are brief, bite-sized training sessions with practical simulation exercises too.

Users should be urged not to click on links to pages from unknown or untrusted sources. They should instead log in directly to trusted websites. Additionally, employees should be taught to always check the URL bar to ensure they are on the site they think they should be on. Another key skill will be showing employees how to inspect URL links and interpret them, allowing them to potentially distinguish between a legitimate login page, and something posing as the real deal. This won’t work in all cases but could help in most.

 

The importance of real-time protection

But remember, there is no silver bullet and user education alone isn’t reliable to stop credential theft. Bad actors only need to get lucky once. Additionally, there are several ways for them to reach their victims including email, text, social media, and messaging apps. It’s unrealistic to expect every single user to recognise and report phishing attempts. Education must work with technology and robust processes.

 

Organisations should take a layered approach to credential management. The aim is to reduce the number of sites users have to put passwords into. Businesses should endeavour to implement single sign-on (SSO) for all reputable necessary work applications and websites. If there are logins that require different credentials, then a password manager would be helpful in the interim. This also provides a way for employees to know if a login page they are on can be trusted or not as the password manager won’t offer credentials up for a site it does not recognise. Organisations should also enable multi-factor authentication to secure logins. FIDO2 is also gaining adoption and will provide a more robust solution than traditional authenticator apps, which are still themselves better than codes sent via text messages.

 

But not all of this is fool proof, and phoney login pages could slip through the net. A last resort is needed to flag potentially risky login pages to employees. To deliver this, organisations can analyse threat intelligence in real-time, including metrics such as web page similarities, domain age and how users got there. This provides a real-time analysis for a login page. This could be used to block high-risk login pages or provide warnings to users to check again for less-risky login pages. Crucially this technology, part of the HP Sure Click Secure Browser, only intervenes at the last minute, so security appears transparent and doesn’t result in them feeling watched.

 

When combined  with an architectural approach to security, a layered approach to credential management can not only reduce the attack surface but mitigate risk from an entire class of phishing threats.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.