While at Black Hat last week in Las Vegas, the big cyber attack news was the loss of 1.2 billion usernames and passwords to a Russian gang, as reported by security consultant Hold Security. The company tracked the gang, which they have dubbed CyberVor (“thief” in Russian), for several months and found that it had collected over 4.5 billion records, mostly consisting of stolen credentials, from 420,000 Web and FTP sites. According to Hold Security, 1.2 billion of these credentials appear to be unique and belong to over half a billion email addresses. The attacks were not anything new, just a persistent use of social engineering and malware attacks.

The real question is not, “How did this happen?” but rather, “How can we allow these types of attacks to hurt our enterprises?” Although many organizations have a policy that prohibits reusing corporate credentials on third-party sites, enterprises have found it difficult to enforce these policies. The headlines are full of high-profile breaches on leading websites, some of which caused hundreds of millions of user accounts to be compromised. Significant new vulnerabilities such as the Heartbleed bug highlight the risk companies face from password reuse.

Password Protection: The User Risk

As passwords become more complex, employees are more likely to reuse their usernames and passwords on e-commerce, subscription and social media sites despite corporate policy prohibiting credential reuse. Because of this reality, cyber criminals have shifted their focus toward obtaining user information from popular websites since they know there is a high likelihood that those same credentials could be used to log in to other systems. As the news of this attack breaks, the big question for companies is, “If a third-party site is compromised, are we going to be part of the story?”

Attackers know it’s just a matter of time before an employee does one of the following:

  • Mistakenly clicks on a link in an email and enters credentials in what appears to be a trusted website;
  • Reuses his or her corporate credentials on third-party sites because it’s easier to remember one password instead of six or more passwords;
  • Unknowingly falls victim to a drive-by download, watering hole attack or infected USB drive.

As a result, one of the biggest challenges companies face when protecting corporate credentials is enforcing existing policies and preventing criminals from exploiting user behavior.

To help enforce password policies, information technology and security organizations have long delivered awareness programs that teach employees about the risk of password reuse and how to safeguard their corporate credentials. However, most companies have no way to enforce these policies or even know whether employees are complying.

Preventing the Loss and Theft of Corporate Credentials

Today, effectively preventing the theft of corporate credentials from advanced threats requires the following three essential capabilities:

  1. Preventing malware from compromising the user systems and, in cases when malware avoids detection, helping prevent malware from communicating out to expose corporate credentials. This stops malware communication from sending stolen credentials to a cyber criminal.
  2. Validating that corporate credentials are used only to log in to approved corporate applications, whether those applications are hosted internally or delivered by a software-as-a-service (SaaS) vendor, business partner or through the cloud.
  3. Automatically preventing corporate credentials from being sent to unauthorized sites. This can help prevent users from submitting their credentials on phishing sites and stop the reuse of corporate credentials on unapproved third-party sites such as social networks.

How to Protect Against Advanced Malware

Companies need to realize that a new threat prevention approach is necessary in order to truly protect against spear phishing, credential theft and advanced, information-stealing malware. By monitoring how and when corporate credentials are used and automatically preventing exposure, companies can protect their corporate credentials as the threat landscape evolves.

Unlike other approaches designed only to block malware, a company’s approach should prevent advanced malware and advanced persistent threats from compromising user endpoints and include special protections that prevent corporate credential theft and exposure. The following approaches are strongly recommended:

  • Blocking malware communications: Block malware and malicious communications from malware to prevent corporate credentials exposure. Even if malware has infected an employee’s machine, the user’s credentials can’t be exfiltrated.
  • Preventing corporate password exposure on phishing sites: Protect employee credentials from phishing attacks by validating that employees are submitting their credentials only to authorized login URLs. When users attempt to submit their enterprise credentials to an unauthorized URL, they should be required to provide different credentials.
  • Preventing reuse of corporate credentials on noncorporate sites: Prevent corporate employees from reusing their corporate credentials to access public sites such as e-commerce and social media sites. Monitor when corporate credentials are used and require users to change their credentials before logging in to a nonapproved website. As a result, organizations can easily support access to both corporate and approved third-party SaaS and cloud applications while preventing exposure on unauthorized sites.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response. Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats. Signature-Based Antivirus Software Signature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…