Endpoint Credential Theft: How to Block and Tackle at Scale
Tracking and fixing bugs across digital enterprise environments has always been tricky — and it’s getting even harder. Threat researchers logged a record-breaking number of common vulnerabilities and exposures (CVEs) in 2021, averaging more than 50 per day. That’s according to a recent analysis of the National Vulnerability Database (NVD), a central repository of known vulnerabilities maintained by the National Institute of Standards and Technology (NIST). Where to even begin? With so many flaws and so little time, security teams need to focus on impact — blocking credential theft at the endpoint to counteract numerous identity-based vulnerabilities, both disclosed and not yet discovered.
Why So SeriousSAM? It’s Just One of Many Credential Theft Flaws to Address
Keeping pace with every new disclosed vulnerability is difficult. And patching them all? Forget about it. Instead, most vulnerability management teams work to gauge the level of risk a particular vulnerability poses to their business and tackle remediation steps accordingly.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers risk-prioritization guidance on this front and, among other things, recently urged organizations to patch CVE-2021-36934, aka “SeriousSAM” or “HiveNightmare,” based on evidence of active exploitation by threat actors.
SeriousSAM made headlines after it was disclosed in July 2021 as a zero-day, local privilege elevation flaw that enables attackers to obtain account password hashes, including those belonging to privileged users, from the shadow copy of Windows Security Account Manager (SAM) — a database registry file that stores local and remote users’ credentials. By using the credentials of a legitimate privileged identity, the attacker can continue to move deeper into the network, reach Tier 0 assets and potentially compromise the full domain. In short, it’s a serious flaw.
Which is why it’s somewhat surprising that almost eight months later many organizations still need to address SeriousSAM. It also highlights a bigger issue: SeriousSAM is just one of countless ways threat actors can steal stored credentials and use them as a jumping point.
For instance, attackers know that most people don’t regularly clear their web browser cookies, though it’s an important security practice. When hijacked, these cookies can provide attackers with the necessary ingredients to bypass multi-factor authentication (MFA) and single sign-on (SSO) controls, which allows them to readily gain access to critical business applications such as Salesforce, Jira or Slack.
Threat actors continue to innovate and use a variety of credential theft techniques in the wild, such as stealing domain credentials from the local cache and harvesting encrypted service accounts. In trying to patch every identity-centric weakness individually, vulnerability management teams quickly find themselves back in a never-ending game of whack-a-mole.
How Holistic Endpoint Threat Protection Stops the Endless Patching Cycle
Whatever their end goal, attackers almost always start by compromising identities, then move laterally and vertically to escalate privileges in search of their target. In fact, identity compromise through credential theft is the most common initial attack vector today, according to the latest IBM Cost of a Data Breach report — costing organizations an average of $4.37 million per breach.
With this front of mind, many security teams are broadening their approach to credential theft protection. Instead of patching vulnerabilities one by one, they’re addressing the root issue: block all sorts of credential theft attempts from the start — and limiting privileged access more intelligently through automation. This typically involves three key actions:
- Putting automated detection controls in place to detect and block theft attempts across browser, operating system and credential stores via software abuse, memory scraping and other attack techniques.
- Placing credential “lures” at points along common attack paths. These traps are designed to be relatively easy to compromise. Once an attacker tries to use a seemingly legitimate credential, it sets off alarms, prompting security teams to jump-start an investigation, detect threats faster and reduce dwell time.
- Layering Identity Security protections of least privilege enforcement and application control over vulnerability assessment and patching tools to help detect and neutralize threats at the endpoint before attackers have a chance to cause significant damage.
Similar to virtual patching — where security policies are implemented to close vulnerability exploitation pathways in the interim to shield against exploits until a patch is available from the vendor — this approach helps security teams leverage credential theft protection to dramatically reduce risk exposure. If and when individual patches become available and they are feasible to apply, teams can roll out fixes in a more manageable cadence, focus their efforts on key areas of risk, and ultimately, make a greater impact.