What is a Credential-Based Attack?

Credential theft, the first stage of a credential-based attack, is the process of stealing credentials. Attackers commonly use phishing for credential theft, as it is a fairly cheap and extremely efficient tactic. The effectiveness of credential phishing relies on human interaction in an attempt to deceive employees, unlike malware and exploits, which rely on weaknesses in security defenses.

Corporate credential theft is usually a targeted effort. Attackers scour social media sites such as LinkedIn, searching for specific users whose credentials will grant access to critical data and information. The phishing emails and websites utilized in corporate credential theft are much more sophisticated than those used for consumer credential theft. Attackers put a great deal of effort into making these emails and websites look nearly identical to legitimate corporate applications and communications.

It is in this phase of credential-based attacks that security awareness training plays a role as the first line of defense. Unfortunately, there is no guarantee that employees will identify a phishing attempt 100 percent of the time. To minimize credential theft, corporate credentials should be limited to approved applications, and usage should be blocked from unlikely or unknown applications and sites. Security products be capable of blocking corporate credentials from ever leaving the organization’s network, and prevented from being submitted to malicious sites.

What is Credential Abuse?

Credential abuse, the endgame of a credential-based attack, is the actual use of compromised passwords to authenticate applications and steal data.

Once an attacker gets ahold of user credentials and passwords, they can sell the credentials in the cybercrime underground or use them to compromise an organization’s network, bypassing all security measures to keep an adversary out, move laterally within the network and steal data.

In an unsegmented environment, an attacker can move freely across an organization’s network. If the environment is segregated and provides visibility across users and applications, security measures can be put in place to prevent an attacker from moving laterally and gaining access to critical data.

Once an attacker has the credentials to operate like a valid user, there is very little that can be done to identify an intruder and validate if that user is really the person their credentials claim them to be. Organizations commonly implement multi-factor authentication within applications to require users to validate their identity more than once. However, doing this for every individual application used within the organization is not scalable. Implementing policy-based, multi-factor authentication at the network layer, meaning in the firewall, will provide the needed scale and end-user ease of use.

The Palo Alto Networks Next-Generation Security Platform stops the credential-based attack lifecycle in multiple places, from the theft of credentials to the abuse of stolen credentials. The combined prevention capabilities of the Next-Generation Firewall, Threat Prevention, WildFire and URL Filtering stops known and unknown attacks used for the theft and abuse of credentials, while GlobalProtect extends protections from the platform to mobile workforces and provides additional measures to identify users and devices that are accessing applications.

To learn more about preventing credential-based attacks, check out this product page.