Credentials Flagged as Leading Cause of Malicious… | BeyondTrust

Since the publication of the first of the Notifiable Data Breach reports by the Office of the Australian Information Commissioner (OAIC), following the introduction of the scheme in 2018, credentials have featured heavily as a leading cause of reported breaches. The latest report, for the period of January to June 2022, highlights that malicious or criminal attacks have remained a constant threat for Australian organisations. They account for the majority of reported data breaches, and credential theft is often key to the successful access of data.

Other key findings from the report indicate that the industries that potentially hold the most valuable Personally Identifiable Information (PII) – healthcare and finance – continue to be the top targets of criminal activity. Third on the list is recruitment agencies, which have seen a significant 39% increase in breaches from malicious attacks compared with the previous six months.

Another statistic worth noting from the latest report is the increased scale of the breaches. During the reporting period, there were four data breaches that impacted more than 100,000 Australians compared to a single breach in the previous period.

This blog will explore what these key findings from the latest OAIC Notifiable Data Breach Report indicate about the current cyberthreat-scape, how these trends are impacting organisations, and the proactive defences organisations can implement to increase their chances of preventing a data breach.

Identity at the heart of the attack

The recurring story of the Notifiable Data Breach reports, now published twice-yearly by the OAIC, is that compromised or stolen credentials – whether by phishing, brute-force attacks or other means – make up the majority (54%) of the cyber incidents that lead to data breaches in Australia. Breaches associated with ransomware come next at 22%.

What both breach causes have in common is the leveraging of identities to exploit their associated privileges and carry out an attack.

What makes identity such a high risk for organisations?

One of the top reasons identities pose such a high risk to organisations is the access that’s associated with them. Some organisations provide employees administrator access on their devices, meaning that they can install and run software and access systems, including those with sensitive customer information, with little in the way of checks and balances. Once attackers compromise an employee account, there is little to stop them from accessing the crown jewels of the target organisation.

Ransomware takes this a step further. By leveraging the admin rights of the compromised account, the attacker is able to run the malware necessary to exfiltrate and encrypt the company data. An attacker may then attempt to move laterally within an organisation to a place where they can inflict the most harm.

The top ramifications indicated by the Notifiable Data Breach report

While some of the impacts of the reported breaches are obvious and hugely significant to many Australians, the findings of the report also suggest some longer-term impacts. These include:

  • The sale of personal data: In targeting healthcare and finance organisations, malicious actors are looking for information that will allow for a quick payday – valuable personal information that can be readily on-sold or used in other activities where they may impersonate victims for quick financial gain.
  • The possibility that personal healthcare information could be used for extortion.

The report also pointed to some of the more nefarious tactics that are being undertaken by cyber criminals.

One example of this includes the targeting of recruitment agencies to obtain data on the period of onboarding or offboarding employees. This information presents numerous opportunities for malicious actors.

First, it provides the threat actor with valuable insight into a potentially easy entry point. In the case of recently offboarded employees, removing access to systems promptly when an employee leaves an organisation is important. However, it is something that organisations often struggle with. The 2021 Colonial Pipeline breach provides a good example of this. The attack on Colonial Pipeline was initiated via a VPN account that should have been disabled because it was no longer in use. Instead, the threat actor was able to enter the network through this orphaned account, resulting in a breach that heavily impacted petrol supplies along the US East Coast.

Newly onboarded employees offer an equally opportunistic entry point for attackers. Understanding where a new hire lands and who they report into can be leveraged by a criminal to craft a spear phishing or Business Email Compromise attack. The fact that a new hire may not be fully onboarded onto all of the organisation’s security protocols, and may not be educated in threat detection, increase the chances of a threat actor achieving a successful breach.

With so many successful data breaches resulting from credential theft and ransomware, it is clear that greater emphasis must be placed on mitigating the risks associated with the abuse of stolen credentials and the access that is gained by threat actors once they successfully breach a corporate network.

Privileged Access Management (PAM) is one of the leading intelligent identity and access security solutions, designed to help organisations condense their attack surface by enforcing the principle of least privilege and exerting appropriate levels of control over elevated access and permissions across an IT environment.

Here are a few of the components of a comprehensive PAM strategy that can help mitigate threats related to credential management:

  • Endpoint Privilege Management (EPM) – EPM solutions provide a layer of defence against the likes of phishing, malware, ransomware, fileless attacks, insider threats, and more by enforcing least privilege, eliminating local admin rights, and applying Trusted Application Control.
  • Many organisations adopting the Essential Eight, which provides defences against the most common threats faced by Australian organisations, utilize endpoint privilege management to provide them with the Application Control, User Application Hardening, and Restricting Admin Privileges mandated by the Essential Eight.
  • Privileged Password Management (PPM) – PPM solutions enable automated discovery and onboarding of all privileged accounts, secure access to privileged credentials and secrets, and auditing of all privileged activities. By removing the need for employees to remember their passwords – or for non-human accounts to have hard-coded passwords – organisations can reduce the risk of compromised privileged credentials while simplifying the path to compliance.
  • Secure Remote Access – For third party or remote access, similar removal of credentials can be put in place via Secure Remote Access solutions. In addition, these solutions can limit the capabilities of remote users, once logged on, to discreet activities even as simple as starting or stopping a process or rebooting a server. This reduces the ability for threat actors to gain a foothold on a system or move laterally should they have bonafide credentials.
  • Multi-Factor Authentication – With both privileged password management and secure remote access, adding an additional layer of authentication via multi-factor authentication (MFA) can provide further barriers to success for attackers.

The next steps for securing your identities

It is clear from the ongoing data of the Notifiable Data Breach reports that compromised credentials and ransomware will continue to be threats to Australian organisations in the near future.

However, it is also clear that there are a number of ways that Australian organisations can reduce the impact or effectiveness of such attacks, all while protecting the important PII that is so coveted by the same criminals who carry out these attacks.

Click here for more information about aligning with the Australian Cyber Security Centre (ACSC)’s Essential Eight risk mitigation strategies. If you would like to learn more about any of the BeyondTrust solutions mentioned above, please reach out to one of our trusted advisors.

Photograph of Scott Hesford

Scott Hesford, Director of Solutions Engineering, APJ

Scott Hesford has over a decade of experience in IT security. Before joining BeyondTrust in 2019, he worked as Principal Consultant for CA Technologies and other large enterprises in Australia and New Zealand. A trusted cyber security advisor to enterprise customers, his experience spans across several industries such as banking, insurance, energy and utilities, in addition to state and federal governments. At BeyondTrust, Mr Hesford is an essential contributor in the regional security engineering department, helping enterprises and government agencies improve their security posture against internal and external threats.

This post was first first published on BeyondTrust (en) website by . You can view it by clicking here