When we look at the sheer number of vectors an adversary uses to compromise or breach their target, credential compromise is right up there with phishing as the two leading sources of compromise. In fact, phishing’s primary objective is to obtain credentials. Threat actors get a lot of press for creating new exploits, but isn’t it easier to just log in? Stats show that detecting a breach that leveraged stolen credentials takes ~50% longer over other primary methods (exploits, misconfiguration, etc.). Why is that? And what can we do to make it harder? Let’s talk about MITRE ATT&CK‘s 8th tactic, Credential Access!
The importance of Credential Access
Credential access is simply obtaining (stealing) usernames and passwords to use in other steps of an operation. While other TTPs might help an adversary create their own or bypass these creds, stolen credentials are the Holy Grail. Governments spend significant funds, time, and resources securing their own communications and safeguarding access. Sure, they spend resources protecting them from other attacks too. They’ll prepare for nuclear, biological, chemical (NBC) attacks, bomb/blast resistance, and more. The White House is rumored to have anti-aircraft missiles and a huge underground bunker! All of the kinetic protection in the world cannot protect a critical asset from someone using legitimate credentials from walking in the front door. Information system resources are no different – no firewall, IDS/IPS, proxy, or other protective measure expects to block legitimate credentials.
Ghost Stories – real world credential access!
In 2010, the FBI uncovered a network of Russian sleeper agents operating in the United States, known as the “Illegals Program.” These agents assumed false identities and lived for years as ordinary American citizens while secretly working for the Russian government. If you haven’t seen the FX television series “The Americans“, you are missing out. There are lots of similarities there!
One of the most notorious figures in the real Illegals Program network was Anna Chapman, whose real name is Anna Kushchenko. Chapman and her fellow operatives had stolen the identities of deceased individuals to obtain forged passports and other documents, allowing them to blend seamlessly into American society. This access enabled them to gather intelligence on American political figures and policymakers. They also moved laterally to cultivate contacts with influential individuals who could provide valuable information to the Russian government. It is no wonder why this made for good TV!
Ghosts in the wires: how stakes change the game
The truth is, stealing and abusing identities is much easier and more common in information systems. The concepts might seem similar, but the circumstances lead in very different directions:
- Reduced workload: threat actors don’t need artists, forgers, disguise experts, or the time to use them.
- Simpler on-mission logistics: cyber adversaries don’t need a physical logistics chain of handlers, safe houses, or dead drop locations.
- Abundant and Easily Accessible identities: threat actors have the luxury of continually mining or acquiring new credentials without draining resources.
- Much lower stakes: While more traditional agents find themselves in continual danger, threat actors act with relative impunity.
This completely different spectrum of concerns and worries makes credential access both lower risk and more critical to a threat actor’s operation. Traditional espionage efforts were used sparingly and with great care. The dark web’s bountiful repositories of leaked information and accounts and the work of initial access brokers equips adversaries with thousands of identities across their specified target. And if one is caught by the defenders, the adversary feels no remorse – there are plenty of other identities at hand that can be applied in no time.
Credential Access: gaming the system & abusing its rules
After last week’s post on Defense Evasion (43 techniques and 155 sub-techniques!) this should seem more manageable. Credential Access (TA0006) comes in with a fairly modest 17 techniques and 49 sub-techniques. If we take a queue from last week and attempt to categorize them, it would seem that we could group them in 4 categories: theft, intercept, forgery, or bypass:
| Theft | Intercept | Forgery | Bypass |
|---|---|---|---|
| Brute Force (T1110) | Input Capture (T1056) | Create Account (T1136) | Exploitation for Credential Access (T1212) |
| OS Credential Dumping (T1003) | Adversary-in-the-Middle (T1557) | Forge Web Credentials (T1606) | Multi-Factor Authentication Request Generation (T1621) |
| Credentials from Password Stores (T1555) | Multi-Factor Authentication Interception (T1111) | Steal or Forge Authentication Certificates (T1649) | Modify Authentication Process (T1556) |
| Unsecured Credentials (T1552) | Network Sniffing (T1040) | Steal or Forge Kerberos Tickets (T1558) | Forced Authentication (T1187) |
| OS Credential Dumping (T1003) | |||
| Steal Application Access Token (T1528) | |||
| Steal Web Session Cookie (T1539) |
This categorization was again up to me and my Sunday state-of-mind, but you get the gist! Execution, Defense Evasion, Privilege Escalation, and Initial Access are often combined together in a single operational step. Credential Access techniques are likely separate. Heck, for most identities, odds are they don’t even get acquired in the same operation! Why is that?
Credential Access as a Service? Or at least as a side-hustle
The harvesting of identities for malicious activity can be detected by an attentive defender. Linking that activity to the operational end-goals is certain to spook the defender. Even the most notorious of state-sponsored threat actors subcontracts out the gathering of credentials whenever possible. There are a lot of good reasons for that. Many of the techniques may involve password cracking, which is a time and resource intensive effort, so it is best to take that offline. Some of the credentials used tomorrow came from yesterday’s breaches – indeed it is often a primary objective of a breach to reveal caches of identities for future use!
This doesn’t mean that an in-progress adversarial operation ignores these techniques altogether. Some of the techniques in this tactic aren’t that easy. Stealing Application Access Tokens (T1528), Stealing Web Session Cookies (T1539), and those techniques and sub-techniques manipulating MFA will necessarily occur as-needed. They are very time-sensitive and required for lateral movement and escalation. Credentials obtained prior to an operation may also be limited to a subset of user groups. Most adversaries will augment during the operation when they need to access a service account or administrator’s access.
How can we protect these identities?
If you are reading this and saying “don’t we have a LOT of solutions that claim to protect these identities and the credential access?” than you are spot on. The mitigations offered by ATT&CK should sound very familiar:
- Least Privilege Access: limit access to only those who 1) need it and 2) demonstrate they can be trusted.
- Segmentation: network segmentation gets all of the love, but consider segmenting at every layer of the OSI model, and in other places. Files and folders, application services, and even the separation of work and private use should be on the table. Even Privilege Access Management fits in here!
- Restrict access: don’t let folks do the same things from afar as they can in the DC or on the campus.
- Harden and patch systems: OSes are configured by default to do certain things for compatibility. Turn those off (NTLMv1, LANMAN, LLMNR, etc.). And follow CIS hardening guides as much as practical.
- Use hardened MFA: don’t make it optional, and take measures to ensure only strong methods are used. Don’t allow weaker SMS or 1-click options, but rather use phish-resistant methods, non-default configurations, and throttling to harden.
- Log and Audit: watch for login events, monitoring for spraying and brute-force attacks, and even leveraging canary accounts. This goes a long way towards catching abuse before harm is done.
- Account Policies: combine whatever is available to make it harder on imposters. Got geo location? Use it! Cert-based auth an option? YES PLEASE! No matter what, make it hard for folks to guess, spoof, or hijack an identity.
- User Training: MFA and restrictions can be seen as friction. Help users understand the why and turn them into proactive sensors for you!
At the risk of sounding like a broken record, the above measures are critical! These steps seem simple but can be a bear – pick a couple and see them through before trying to tackle more!
Conclusion
We unfortunately don’t see Credential Access being abused in real time very often. Inadequately trained and supported defenders lacking context and deprived of logs fail to detect legitimate credential access being abused by adversaries. Organizations all start out thinking they have a handle on it, but something happens along the way, and they end up completely missing their own credentials either being stolen or being misused. This applies to both traditional espionage and to cybersecurity.
Well-trained operators with sufficient telemetry and time can provide counter-espionage or blue team coverage and radically reduce this threat. The main characters in The Americans hung in there for almost 17 years! In the real world, the FBI’s investigation into the Illegals Program, code-named Operation Ghost Stories, eventually led to the 2010 arrest and deportation of ten Russian agents, including Chapman. This happened within a year of Chapman landing in the US, and before significant national security damage could occur.
We only hear of the failures in the cyber realm, but you can bet that success is attainable and has happened. Success here doesn’t mean deportation or any diplomatic leverage, but does it need to? Show the hackers the door, and get ready for the next wave. Because it is coming.
I hope this post was informative! please send any feedback my way 🙂
Mike
Leave a Reply