Identity Threat Defense

Attackers Like Credentials More Than Exploit Kits, IAM & PAM

Share with your network!

You’re vulnerable. And cyber attackers know it.

This blog is one of two contributed by Ofer Israeli reflecting on important discussions about threat trends that took place at Team8’s recent CIO & CISO Summit in Tel Aviv.

Vulnerability management (VM) is a core security function tasked with reducing the enterprise attack surface. Hot-button issues among VM vendors and practitioners include how to improve prioritisation of patching, and how to reduce the number of days it takes to patch critical systems. Patching discipline is important and these challenges must be overcome—but times have changed. From the attacker’s perspective, exploiting vulnerabilities is taking a backseat to other methods of attack. For defenders to get ahead of current threats, it’s urgent to address an entirely different dimension of the attack surface—one that has unfortunately barely hit the radar.

More apps, more vulnerabilities…. more exploits?

According to Cybersecurity Ventures, there are 111 billion new lines of code developed every year. So it’s no surprise that from 2016 to 2017, there was a 125% growth in the number of vulnerabilities documented. Although there was no shortage of vulnerabilities for attackers to feed on, during the same period, there was only a 12% rise in the number that were exploited.

There’s also been notable reduction in the number of exploit kits being developed. In 2016, according to Recorded Future, 62 new exploit kits were introduced. In 2017, that number dropped to 10. What some saw as a temporary contraction was a result from the takedown of various criminal groups and services in 2016. Others attributed the fall-off to the rise in cryptojacking and improved browser security. But the following year, the number dropped again by 50% (see chart).

What’s going on here?

What attackers really want is your credentials

Why invest time in building exploits to get in through a virtual back door when you can just walk in the front door? By riding or manipulating the native connectivity that exists within the business, attackers can execute attacks from start to finish without ever exploiting vulnerabilities.

From the attacker’s perspective, this is far more appealing. Like other living-off-the-land techniques, it reduces the risk of detection, but it also eliminates the losses the attacker would suffer when their tools are discovered and fingerprinted. After all, once neutralised, a tool’s valuable software development efforts decay into sunk cost.

Analysis of breaches and attacker activity points to attackers’ growing preference to use credentials. In 2018:

  • 74% of breaches involved privileged account access [i]
  • When combined, privilege abuse and use of stolen credentials comprise the top threat actions [ii]
  • Credentials were the top type of data compromised [iii]
  • Credential theft was the main goal of phishing [iv]

Yes, you’ve invested in IAM and PAM

Regardless of how well-disciplined identity and access management, network segmentation, and privileged access management practices are, credentials are easy for attackers to acquire. Ordinary user activity leaves a wake of artifacts—an “access footprint” of credentials and connections—that malicious insiders or intruders can easily grab to progress an attack.

Proof in numbers

Over the past year, Illusive has used its Attack Surface Manager to prove the point. We’ve conducted dozens of attack risk assessments in both large and mid-size organisations to see what credentials and connections can be found. ASM quickly and automatically identifies a wide range of conditions, including:

  • AWS keys, Domain Admins, and other domain user credentials cached on systems
  • “Shadow” accounts that mimic high-privilege users and groups
  • Remnants of high-risk connections (e.g. improperly closed RDP sessions, and connections to high-value systems) that can be leveraged by skilled attackers
  • Unmanaged local admin accounts

It’s shockingly easy for attackers to get what they need.

  • 19% of endpoints have cached privileged accounts
  • 80% of companies lack visibility on the full range of privileged groups and privileged users that are actually in use within their networks
  • 70% of endpoints have Local Admins with “group” passwords—a condition that attackers can exploit to rapidly expand their presence
  • 25% of endpoints show a history of access to “crown jewels” that can be exploited

Of course, the maturity of cyber hygiene practices vary widely, but 100% of organisations had significant challenges in at least one area, and every one we tested showed privileged accounts residing where they don’t belong.

What you can’t see may be your biggest risk

The near-universal lack of visibility is especially frightening for several reasons:

  1. The access footprint is in constant motion. Connections get set up and torn down constantly through the day, and credentials get cached, cleared, and altered, both accidentally and intentionally. Even if you could gain clear vision on these artifacts today, the data would be outdated tomorrow. For an attacker, every minute presents new opportunity.
  2. IT change = hygiene challenge. Continuous technology-based innovation, and change in the IT infrastructure, lead to access management errors, while routine cyber hygiene—even if it could be performed at scale—is commonly back-burnered by the myriad priorities that suck up the attention of under-resourced security teams.
  3. The cyber attack is accelerating. Using Bloodhound and other similar tools, it is now on the horizon for cyber attackers to achieve in hours the domain control that once took them weeks or months to establish. Without the ability to meet attack automation with attack surface hygiene automation, attackers will pull further and further ahead of defender’s ability to stop them.

It’s urgent to re-envision vulnerability management

This is why we urge our readers to check out Attack Surface Manager. It continuously shows the credentials, connections and pathways to business-critical assets that are available right now to attackers, and provides an easy, scalable means to remove violations and minimise the lateral movement options an attacker has. Request a demo, or read more here.


[i] Centrify: Privileged Access Management in the Modern Threatscape

[ii] Verizon: 2019 Data Breach Investigations Report

[iii] Verizon: 2019 Data Breach Investigations Report

[iv] Proofpoint: The Human Factor 2018 – People-Centred Threats Define the Landscape