Hackers don’t Hack, They Login
Many people think hacking looks like something out of a movie - a genius typing furiously, breaking into systems in seconds. But that’s not the reality. Hackers don’t hack. They login. Attackers use stolen credentials to gain access into their victim organization because why do something harder when this works?
Attackers make so much money off of compromised credentials in the dark web marketplace. In fact, there are cyber criminals known as “initial access brokers” that just focus on this work. Initial access brokers sell access they have found into an organization (oftentimes through exposed credentials) to another attacker who might do something like deploy malware on the victim.
Password reuse is something done frequently. Some people will use the same password for every single thing (I bet you know someone like this or maybe that someone is even you! Well you’re in a good place to learn why and how you should fix that!). This further perpetuates the problem. This continues to make credentials valuable, especially when they can be used to compromise multiple different systems.
Multi-Factor Authentication (MFA) helps reduce this risk, but it’s not foolproof. We still see attackers leveraging exposed credentials to gain access into an organization. MFA is still important to implement for network access (regardless of location), remote access, and access to applications housing critical data or performing other critical business functions. This can be circumvented through methods such as socially engineering a victim to give up an authenticator code or through a SIM swapping attack. This is when a person’s phone number is transferred to a SIM card underneath the control of an attacker, allowing them to intercept all phone calls and text messages meant for that person. This can be problematic when MFA authenticator codes are sent via text message. Organizations and individuals can implement a better method of MFA such as hardware tokens to avoid these kinds of attacks.
Some other controls organizations / individuals can adopt:
1. Use a password manager!
The average person has 168 passwords. This is way too many for someone to remember all of them! A password manager is no longer a nice to have, it is a must (you can even use one that incorporates dark web monitoring to alert you of potential exposure of credentials before an attacker logs in)
2. Employ continuous monitoring
Monitor things like logins to your important accounts and devices and alert on any suspicious network activity. It is important to prevent access via exposed credentials where possible, but these logins should be alerted on quickly.
3. Do not expose VPN / Remote Desktop admin panels to the internet
Attackers love when they can login to your systems remotely. Ensure you do not have any kind of panel that could be accessible via the internet to an attacker trying to login. For example, you should not have a web portal allowing you to Remote Desktop into your environment accessible to anyone who knows the address for this.
4. Be suspicious of anyone asking for your credentials
This is something commonly emphasized, but it is very important to stay vigilant against social engineering campaigns. You should never give your credentials to anyone. Any IT or person at a company does not need your credentials to help you with your accounts and you should never have to give this up.
Stay safe out there! I hope you learned something from this quick blog. If you did, check out some of my other blogs and be on the lookout for new ones coming soon!
Sources
