Some security breaches are fairly exotic, requiring the use of sophisticated techniques that would make Rube Goldberg proud. These types of efforts require a hundred things to go right in order to succeed and typically require the time, patience and financial backing of an advanced threat actor.
One might think that sophisticated threat actors prefer sophisticated techniques. On the contrary, although a sophisticated adversary may have the capability to pull off a complicated attack, most people are surprised to learn that the majority of breaches still rely on stolen credentials. It is far easier to steal credentials and use them for covert activities than it is to locate a zero-day vulnerability in an external-facing system. And attackers will take the easiest path to achieve their objectives.
Stolen credentials provide many advantages in the attack lifecycle. Effectiveness goes up, and the risk of getting caught goes down. An attacker doesn’t have to spend as much time getting past security countermeasures designed to stop intruders. The attack does not require getting malware into the environment or finding a way to execute it. The adversary simply uses the stolen credentials to take on the appearance of a trusted user, which reduces the risk of getting caught.
There is no shortage of advice on what to do about password risks, but to date most of them have focused on a problem space that bears little resemblance to the targeted attack. The advice to use filtering solutions to stop malicious links to credential phishing sites in email presumes that a security team knows the link is malicious before the user clicks. It also presumes that the link is coming via email. In a targeted credential phishing attack, one cannot assume either to be true, for there are many ways to cloak a site’s true nature, and many ways to get a link to the victim other than email.
The common practice of using multi-factor authentication to address the threat of stolen passwords is a good idea but hard to implement at enterprise scale. In most cases, organizations have a hard time trying to deploy multi-factor authentication across their application landscape. Political issues crop up when the security teams ask the application owners to make changes to their authentication methods. Application owners care about uptime and functionality, and it can be a hard sell to get them to add more security. Technological issues crop up when dealing with the myriad of resources that use passwords, many of which have little support for third-party authentication servers or plugins.
In PAN-OS 8.0, we’re pleased to announce new features that help organizations prevent the attacker’s ability to use stolen credentials. These new capabilities layer into the Next-Generation Security Platform, making it difficult to steal and use credentials in a successful attack. One of the new innovations that we’ve added to the platform is to stop the leakage of credentials to an unauthorized website. This is because in-line inspection of network traffic by the platform makes it possible to implement policies that restrict the sites to which users can submit their corporate credentials. These measures are important, for they act as the safety net to stop credentials from being submitted to credential phishing sites, including sites that have never been seen before.
In addition, the platform goes a step further to disrupt an attacker’s ability to use a set of stolen credentials to access critical applications. Our next-generation firewall enforces multi-factor authentication policy in the network, thus keeping the adversary away from any interaction with the application at all. This is a revolutionary approach to multi-factor authentication, for it strengthens security without having to make direct changes to the application itself, thus making implementation easier without the pain that can derail pervasive enforcement of multi-factor authentication policy.
Both of these key technologies help organizations prevent targeted credential phishing and the use of stolen credentials for lateral movement.
Learn More About Preventing Credential-Based Attacks with Palo Alto Networks
[Palo Alto Networks Research Center]