While at Black Hat last week in Las Vegas, the big cyber attack news was the loss of 1.2 billion usernames and passwords to a Russian gang, as reported by security consultant Hold Security. The company tracked the gang, which they have dubbed CyberVor (“thief” in Russian), for several months and found that it had collected over 4.5 billion records, mostly consisting of stolen credentials, from 420,000 Web and FTP sites. According to Hold Security, 1.2 billion of these credentials appear to be unique and belong to over half a billion email addresses. The attacks were not anything new, just a persistent use of social engineering and malware attacks.

The real question is not, “How did this happen?” but rather, “How can we allow these types of attacks to hurt our enterprises?” Although many organizations have a policy that prohibits reusing corporate credentials on third-party sites, enterprises have found it difficult to enforce these policies. The headlines are full of high-profile breaches on leading websites, some of which caused hundreds of millions of user accounts to be compromised. Significant new vulnerabilities such as the Heartbleed bug highlight the risk companies face from password reuse.

Password Protection: The User Risk

As passwords become more complex, employees are more likely to reuse their usernames and passwords on e-commerce, subscription and social media sites despite corporate policy prohibiting credential reuse. Because of this reality, cyber criminals have shifted their focus toward obtaining user information from popular websites since they know there is a high likelihood that those same credentials could be used to log in to other systems. As the news of this attack breaks, the big question for companies is, “If a third-party site is compromised, are we going to be part of the story?”

Attackers know it’s just a matter of time before an employee does one of the following:

  • Mistakenly clicks on a link in an email and enters credentials in what appears to be a trusted website;
  • Reuses his or her corporate credentials on third-party sites because it’s easier to remember one password instead of six or more passwords;
  • Unknowingly falls victim to a drive-by download, watering hole attack or infected USB drive.

As a result, one of the biggest challenges companies face when protecting corporate credentials is enforcing existing policies and preventing criminals from exploiting user behavior.

To help enforce password policies, information technology and security organizations have long delivered awareness programs that teach employees about the risk of password reuse and how to safeguard their corporate credentials. However, most companies have no way to enforce these policies or even know whether employees are complying.

Preventing the Loss and Theft of Corporate Credentials

Today, effectively preventing the theft of corporate credentials from advanced threats requires the following three essential capabilities:

  1. Preventing malware from compromising the user systems and, in cases when malware avoids detection, helping prevent malware from communicating out to expose corporate credentials. This stops malware communication from sending stolen credentials to a cyber criminal.
  2. Validating that corporate credentials are used only to log in to approved corporate applications, whether those applications are hosted internally or delivered by a software-as-a-service (SaaS) vendor, business partner or through the cloud.
  3. Automatically preventing corporate credentials from being sent to unauthorized sites. This can help prevent users from submitting their credentials on phishing sites and stop the reuse of corporate credentials on unapproved third-party sites such as social networks.

How to Protect Against Advanced Malware

Companies need to realize that a new threat prevention approach is necessary in order to truly protect against spear phishing, credential theft and advanced, information-stealing malware. By monitoring how and when corporate credentials are used and automatically preventing exposure, companies can protect their corporate credentials as the threat landscape evolves.

Unlike other approaches designed only to block malware, a company’s approach should prevent advanced malware and advanced persistent threats from compromising user endpoints and include special protections that prevent corporate credential theft and exposure. The following approaches are strongly recommended:

  • Blocking malware communications: Block malware and malicious communications from malware to prevent corporate credentials exposure. Even if malware has infected an employee’s machine, the user’s credentials can’t be exfiltrated.
  • Preventing corporate password exposure on phishing sites: Protect employee credentials from phishing attacks by validating that employees are submitting their credentials only to authorized login URLs. When users attempt to submit their enterprise credentials to an unauthorized URL, they should be required to provide different credentials.
  • Preventing reuse of corporate credentials on noncorporate sites: Prevent corporate employees from reusing their corporate credentials to access public sites such as e-commerce and social media sites. Monitor when corporate credentials are used and require users to change their credentials before logging in to a nonapproved website. As a result, organizations can easily support access to both corporate and approved third-party SaaS and cloud applications while preventing exposure on unauthorized sites.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…