Last month, I opined on how to protect corporate credentials in the wake of the loss of 1.2 billion usernames and passwords to Russian hackers. I threw down a gauntlet and challenged all to answer why we can continue to allow these types of attacks on passwords to hurt our enterprises. Although many organizations have a policy that prohibits reusing corporate credentials on third-party sites, enterprises have found it difficult to enforce these policies. The headlines are full of high-profile breaches on leading websites, some of which have caused hundreds of millions of user accounts to be compromised.

Maybe we don’t fully understand the scope of the problem. Across the three major threat vectors used by cybercriminals to get corporate credentials, there has been significant activity. The following are some related statistics:

Exposure by Third-Party Site Hack

“Almost as soon as the Heartbleed vulnerability was released as an OpenSSL advisory, IBM Managed Security Services (MSS) witnessed attackers immediately retooling and exploiting the bug on a global scale. Once the major vendors of intrusion detection and prevention systems created protection signatures, MSS was able to see just how bad the situation had become. On 15 April 2014, MSS witnessed the largest spike in activity across the customer base with more than 300,000 attacks in a single 24-hour period, just one day later,” according to the IBM X-Force Threat Intelligence Quarterly 3Q 2014.

Exposure by Phishing

“The Anti-Phishing Working Group tracks the number of unique phishing websites. This is now determined by the unique base URLs of the phishing sites. There were 180,378 phishing sites that were observed in Q2. This is the second‑highest number of phishing sites detected in a quarter, eclipsed only by the 164,032 seen in the first quarter of 2012,” according to the APWG Phishing Activity Trends Report Q2 2014.

Exposure by Malware

“In 2013 alone, there were 30 million new malware strains in circulation, at an average of 82,000 per day. This has brought the grand total of all malware samples in PandaLabs’ database to approximately 145 million,” according to the Panda Annual Report 2013.

“In Q1 2014, the total malware sample count in the McAfee Labs ‘zoo’ broke the 200 million sample barrier,” according to the McAfee Report Q1 2014.

“Massively distributed malware originally designed for financial fraud has been used to target nonfinancial organizations in an APT-style attack. These include the infamous Zeus, SpyEye and Shylock families. Over time, malware developers extended the capabilities of these malware families and added advanced evasion techniques to turn them into sophisticated APT tools that can target organizations in general,” according to IBM Trusteer research.

Preventing the Theft of Corporate Credentials

Today, effectively preventing the theft of corporate credentials from advanced threats requires the following three essential capabilities:

  • Validating that corporate credentials are used only to log in to an approved corporate applications, whether those applications are hosted internally or delivered by a software-as-a-service vendor, business partner or through the cloud.
  • Automatically preventing corporate credentials from being sent to unauthorized sites. This can help prevent users from submitting their credentials on phishing sites and stop the reuse of corporate credentials on unapproved third-party sites such as social networks.
  • Preventing malware from compromising the user systems and, in cases when malware avoids detection, helping prevent malware from communicating out to expose corporate credentials. This stops malware from communicating stolen credentials to a cybercriminal.

What all of this tells me is that we are still waking up to how difficult and challenging it is to protect corporate credentials. So here is my challenge to you this month: Can we stop thinking of protecting corporate credentials as an impossible mission?

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…