By Morey Haber, CTO & CISO at BeyondTrust
If you were a cyber criminal, imagine what you could do with a cache of stolen passwords. Perhaps you might launch a brute force attack against targeted organisations. Maybe you could monetise your stolen passwords by selling them on the Dark Web.
More advanced cyberthreat actors might be able to link the data with other sources to widen the scope of targets in the hope that the identities compromised reused passwords amongst multiple accounts and services. And the most persistent attackers may hammer on your web-based accounts until they break in. Think this sounds far-fetched? Consider this recent old school attack against financial systems.
Another devious method threat actors will use to gain persistent access into financial accounts is to extract funds en masse from ATMs, while providing little time for response before the transactions are complete. There’s a good summary of this type of threat in The Harvard Business Review. This attack can occur from vulnerabilities and exploits, or from caches of pins and passwords that have been pilfered. Essentially, these attacks exploit a privileged attack vector and steal money from everyone all at once. If you think this type of cyberattack vector happened only years ago and could not happen today since the indicators of compromise are well known, you’d be mistaken.
Tips for Protecting Against Password Pickpockets
Any time an individual or group knows the password(s) from another group of people or resources, a pickpocket attack could occur. The most famous such incident involved Edward Snowden (and yes, everyone in the government and security industry is sick of hearing his name). Snowden illegally obtained credentials from his co-workers to steal information using heisted passwords and authorised data access terminals (workstations). Users were unaware of the theft, passwords were not rotated, and information was stolen piece by piece to avoid detection. This type of slow, sinister data theft also happened to Yahoo and Starwood, albeit via slightly different privileged attack forms, and not all at once.
Pickpocket password threats can come from inside or outside your organisation. They can happen in our personal lives and in any business, organisation, or government. The threat is based around the concept of one entity knowing too many credentials and passwords for someone (or something) else. The credentials have been obtained illicitly, and the perpetrator has malicious intent in reusing them.
So we are left with a security dilemma. How do we mitigate this type of threat? Here are a few strategies:
As privilege attack vectors continue to evolve, organisations need to remain vigilant against the security risk of stolen passwords. Remember, anyone – whether inside or outside your organisation - who has a vast knowledge of illegally obtained passwords is a potential threat.