Once in a while, you hear about a security breach initiated against a public-facing resource using credentials that were stolen, stuffed, sprayed, or brute-forced. Some recent incidents include household names that demonstrate no one is immune and anyone can be the victim of a targeted attack. Please consider these incidents and note: Their company names have been removed to protect the innocent and focus on the attack vector rather than the company. 

• Breach #1: This breach targeted this software vendor’s customers through compromised credentials harvested by infostealer malware. Attackers exploited accounts lacking MFA, gaining access to customer data. 

• Breach #2: This software and consumer entertainment company experienced credential stuffing attacks where compromised credentials from unrelated breaches were used to access customer accounts, resulting in unauthorized purchases. This incident led the organization to mandate MFA for all users. 

• Breach #3: A lower education software provider was breached using compromised credentials and exposed sensitive information for 62 million students and 9.5 million instructors. 

While some security professionals may consider these breaches to be the exceptions in the industry, there are a few recommendations that can mitigate these outliers from occurring within your organization. Consider these recommendations: 

• One of the key components of these attacks lies in single-factor authentication. As a security best practice, and based on Breach #2, all organizations should strive to use MFA everywhere and for everyone. This mitigates a simple credential-based attack by relying on MFA as a backup authentication mechanism. And while MFA is not perfect, and has its own attack vectors, it is better than single-factor authentication alone to minimize risk. 

• According to the United States Department of Defense STIGs (Security Technical Implementation Guides), all administrative accounts should be renamed to obfuscate their identity and associated privileges. As an example, the Windows “Administrator” account, regardless of local or domain-based, should be renamed to obfuscate its role within the organization and make it just a little harder for a threat actor to target directly. In addition, for spray, stuffing and brute force-based attacks, default administrator account names like “administrator” and “root” are renamed, making it just a touch harder for a threat actor to guess what accounts to attack. 

• In a typical environment, every identity has multiple accounts. Whether an organization chooses to use one account to log in to everything is typically a business decision with little regard for security. This implies that a user’s username is a derivative of their name or email address. For forward-facing assets, if the user’s username is based on their email address, then it becomes that much easier for a threat actor to target based on existing data breaches and phishing attacks. Following a similar recommendation to the US DoD STIGS, create a different account for remote access, associate it with the proper identity, do not use their name or email address as the username and make the username non-descriptive so it cannot be easily linked to any known identity simply by knowing what it is. For example, instead of my email address, my remote access username should be nearly gibberish based on an established pattern created by the organization to obfuscate my identity. This makes it much harder for a threat actor to target any account with previously compromised data unless it came from the organization itself. 

• Invest in an identity security solution that can detect a wide variety of identity-based attacks and can map identity account relationships throughout an organization. While organizations can implement these best practices to harden their authentication processes, detecting and responding to an attack in real time is equally important. Organizations need a solution that can detect where MFA may not be implemented, where administrative accounts are exposed or being abused, and when identity-based attacks are occurring throughout an environment. This change in detection strategy is becoming a necessity in all organizations since 90% of all recent breaches have had an identity component in the attack chain. Having tooling that is specialized to enforce best practices and detect gaps in identity security is the final recommendation for these breaches. 

Breaches occur all the time. It is not a matter of if a breach will occur, but a matter of when. The attack vectors used by threat actors have evolved, but one thing is clear: Threat actors will always use the path of least resistance to conduct their nefarious missions. In recent years, identity-based attacks have become the path of least resistance and it is the responsibility of all organizations to shore up their defenses to mitigate these threats. By deploying simple changes to MFA coverage, account names and solutions to detect identity-based attacks, organizations can avoid being the next victim to forward forward-facing credential-based attack vectors. After all, it is easier to log in to the front door of the organization than it is to hack in.