Credential Harvesting: Understanding and Combating the Threat

In the growing battle against cybercrime, digital identities have become an increasing target for cybercriminals looking for ways to infiltrate networks or generate income. As a result, credential harvesting has emerged as one of the most widespread and dangerous security risks facing individuals and organisations alike.

The situation has become so bad that today, malware-free activity is the cause of nearly three-quarters of all attacks, according to industry research. What’s more, another study revealed that 59% of respondents believed compromised accounts or credentials had resulted in a successful cyber attack in the previous 12 months.

But, as we increasingly build technology into the fabric of our daily lives, these trends are unlikely to improve any time soon, with threat actors exploiting technology loopholes and human errors to steal credentials by the million.

A huge part of the problem is that credentials are, in many cases, relatively easy to steal. If the continuing rise in phishing attacks, for example, wasn’t bad enough, the use of other tactics, such as Multi-Factor Authentication (MFA) fatigue, means organisations are finding that users can literally be pestered into handing over their login details.

From that point onwards, the security door is ajar. Threat actors can access accounts without further impediment or use automation technologies to mount credential stuffing attacks, using stolen credentials against multiple services and accounts until they gain access. In this context, most traditional cybersecurity solutions can’t detect or prevent the attacks, which is hardly surprising given they are using legitimate login details.

Empowering and Educating the Frontline

So where does that leave security leaders, given almost all of them are concerned about compromised credentials resulting from phishing or social engineering attacks? There are a number of key priorities to address, beginning with the need for effective employee education.

Given the ubiquitous use of email in the modern workplace, everyone is a potential target for those intent on credential harvesting. In this situation, effective user training has a huge role to play in lowering the risks, whether it’s awareness of how phishing attacks work to ensuring people understand how to spot fake emails, no matter how convincing they might initially appear.

User vigilance also includes raising the alarm when they are suspicious about an email they have received or fear they may have clicked on a dangerous link. The importance of this is underlined by recent research, which found that only 2% of known attacks are reported by employees.

Organisations also need to be aware of the wider risks they face, with social media platforms such as LinkedIn being targeted by cybercriminals looking to steal information. There are also cases of direct approaches being made to employees, who are offered money in return for their credentials or to approve an MFA request.

Related:   Meta's Threads threatens personal security for women seeking abortions

What is common to all these scenarios is that once access has been granted, the threat actor can start exfiltrating data, attempt to escalate their privileges, or introduce malware onto the compromised network. Either way, organisations must focus more heavily on detection because, without that capability, victims can be left totally unaware that a breach has occurred, with the LAPSUS$ underlining the serious risks associated with insider threats when credentials are stolen or sold.

Embracing Innovation

While rigorous and ongoing user education has an important role to play in improving security, technological innovation is also helping organisations to raise their game. This is particularly important given that technologies such as traditional approaches to security incident and event management (SIEM) – which sift through an avalanche of alerts – are no longer adequate for detecting attacks.

In contrast, the most effective modern detection systems now combine Machine Learning (ML) with User and Endpoint Behaviour Analytics (UEBA) to assess and monitor normal behaviour for every user, device, and peer group connected to a network. In practical terms, this ensures that any behaviours that indicate user credentials have been compromised can be automatically detected and escalated to alert security teams in a timely manner.

This also helps overcome another limitation of traditional cybersecurity technologies, which rely on knowing about a threat to address it. Indeed, the widespread vulnerability to ‘zero-day’ threats that are unknown to security systems underlines the risks presented by threat actors who are constantly inventing new approaches. As a result, the ability of organisations to adapt to new and emerging tactics is essential for meeting the constantly evolving demands of an era where cybercrime is so commonplace.

Looking ahead, security teams focused on addressing the growing risks presented by credential harvesting are increasingly turning to next-generation SIEM platforms that work in conjunction with modern UEBA to quickly detect and defeat attacks. In doing so, they can put themselves in a much stronger position to safeguard sensitive data, ensure the integrity of their digital assets, and create a resilient cybersecurity infrastructure capable of adapting to the ever-changing threat landscape.

VP of Security Engineering EMEA at 

A veteran IT industry executive, keynote speaker and author, Matt has been helping organisations achieve cyber-resilience for over 18 years in varied roles at Microsoft, Sophos, Rapid7, and now Gartner Leader, Exabeam, where he heads up their EMEA Security Engineering teams.  

 As an ex-actor who ‘luckily fell into IT’, Matt is passionate about engaging and enthusing the next generation of cyber-defenders – whether they realise that’s what they are or not. 

One thought on “Credential Harvesting: Understanding and Combating the Threat

Leave a Reply

Your email address will not be published. Required fields are marked *