There’s no doubt about it, attackers want your credentials more than anything, especially administrative credentials. Why burn a zero-day or risk noisy exploits when you can just log in instead? If you were to break into a house, would you rather throw a brick through a window or use a key to the front door?
As attackers get in and want to maintain a level of stealth, they will want to steal as many credentials as possible.
Types of Credential Access
These can be stolen via brute force, although that is a noisy attack for anyone paying the slightest attention to their systems. There are also many examples of stealing hashed passwords and either passing the hash or cracking them offline. Although pass the hash is called out later in Lateral Movement, this is the tactic in which those hashes would be stolen. The last set of techniques revolves around an attacker stealing clear-text passwords which can be stored in clear-text files, databases, or even the registry.
Many of the techniques in this tactic are examples of how an attacker would obtain passwords. In any of these cases, the same recommendation applies that we all should follow in our digital lives. Use unique and complex passwords for every account.
Most important here is not using the same local administrator password for each system. It is not unheard of to see an attacker compromise one system, steal the local hashed passwords, and crack the local administrator password. If that is the same across the enterprise, the attacker now has administrative access to the entire network.
Just as important is also using complex passwords. Requiring uppercase, lowercase, numbers, and special characters has been the basic advice for years. However, using passphrases is just as effective.
The goal here is making password cracking difficult for attackers. An adequately long password can take years to crack. This is why we have complex passwords which need to also be changed frequently. Should one get stolen, the frequency of it being changed should be shorter than the time it would take to crack the password.
The final piece of the puzzle is monitoring usage of valid accounts. There are multiple cases of valid accounts being used in data breaches.
The first should baselining user activity. It is easy to say that users logging in after hours and from across the globe is a red flag but for global organizations, this can be difficult. Users logging in for the first time from a new country or logging into multiple systems at the same time can be red flags. Most SIEMs will have correlation rules to be able to detect these types of attacks, so sending authentication logs to a centralized server to analysis is critical.
Should you want to truly make an attackers life difficult, enabled multi-factor authentication. Even though there are attacks against two-factor authentication, having 2FA is better than not. By enabling multi-factor authentication, you can be assured that attackers cracking passwords will still have another hurdle when accessing critical data within your environment.
The credential access tactic can be mitigated by mostly following best practices. When best practices fail us and accounts get compromised, ensure that you have the proper logging enabled so that you can detect malicious usage of valid accounts.
There is also a mapping of CIS controls to the ATT&CK framework available. This can be helpful if you’re already adopting the CIS Controls and are starting down the path of adopting ATT&CK.
Read more about the MITRE ATT&CK Framework here:
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control
- The MITRE ATT&CK Framework: Impact