Credential harvesting attacks can threaten your networks

In these strange times of Covid-19, companies face increased and expanded cybersecurity threats. Enterprise security perimeters expanded exponentially almost overnight as both employees and vendor reps work from their homes. Threat actors are using the pandemic to create new devious phishing and social engineering campaigns like credential harvesting, with which to lure your staff and harvest your valuable credentials. And during extreme events such as a pandemic, it is more likely that employees or former employees could go rogue because of financial distress. This oversized, increased threat is even more magnified for third parties accessing your network.

What is a credential harvesting attack?

Credential harvesting is when a bad actor, internal or external, gains access to important credentials. These credentials could then be sold on the black market, or used by hackers to hold an organization for ransom.  The harvesting attack itself is the method in which a bad actor gains those credentials. The most common is a phishing attack, where a user might be tricked into entering their access credentials (or just revealing them) to a fraudulent source.

Credential harvesting attack methods

As mentioned above, phishing remains a highly successful credential harvesting attack method. In 2020, 75% of organizations around the world experienced some kind of phishing attack. 96% of those credential harvesting attacks arrived via email – a common method of attack – and the average cost of a data breach caused by compromised credentials totaled $3.92 million. Other credential harvesting attack methods include malware, man-in-the-middle attacks (where an attacker finds a way in through a public network), social engineering,  and insider attacks. The rise of at-home work environments that are often less protected and burned out employees who may turn into bad actors means that organizations are at more risk than ever. Values of credentials of all kinds have been rising every year, with healthcare logins topping the list at $500 per record, according to a VMware study. However, if an internal employee only has one credential to sell, this would provide external hackers with little value unless they were able to go lateral and infect other machines. Additionally, they’d have to have the technical knowledge on how to go on the Dark Web, navigate the depths of its many murky marketplaces, and be able to take payment in Bitcoin.

How to protect against credential harvesting attacks

1. Enforce multi-factor authentication

A harvested credential is only valuable if it actually provides access. Multi-factor authentication methods, via a phone alert or email or biometric scan, prevent a single password from granting access to critical assets. This renders the credentials useless and protects organizations from breaches after a credential harvesting attack. 

2. Ensure credential vaulting

Credential vaulting, such as that available in vendor privileged access management (VPAM) systems, can provide a key roadblock for users of stolen credentials. These systems basically keep all privileged credentials in an encrypted vault, never allowing users to see the actual login information. It allows them to check out the right to use it, which is logged and then passes the encrypted credential to the appropriate system, initiating the login for the user automatically. This can keep a key credential from being stolen because they never had the login information in the first place. They also provide valuable usage and tracking information for all your privileged logins for use in monitoring and audit efforts.

3. Implement a third-party management system

A strong defense against third-party credential abuse is an integrated vendor management system that provides controls and protections at each step of the process. VPAM is designed to treat vendors differently than internal users at each stage of access; identification, onboarding, authentication (credential vaulting), authorization (granular least privilege), monitoring (detailed logs with video capture and keystrokes of vendor sessions), and instant offboarding. These systems provide all the key controls you need to limit vendor and third-party risk from credential abuse and theft, both during crisis times and normal operations, all in a single platform. Whichever strategy and tool set you choose, make sure you also tweak your key policies such as your incident response and business continuity plans, your education programs, and other communications in order to integrate your new efforts with your existing programs and controls for third-party risk management.