{"id":21849,"date":"2023-04-26T08:01:21","date_gmt":"2023-04-26T16:01:21","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/04\/26\/news-15580\/"},"modified":"2023-04-26T08:01:21","modified_gmt":"2023-04-26T16:01:21","slug":"news-15580","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/04\/26\/news-15580\/","title":{"rendered":"Healthy security habits to fight credential breaches: Cyberattack Series"},"content":{"rendered":"

Credit to Author: Christine Barrett| Date: Wed, 26 Apr 2023 16:00:00 +0000<\/strong><\/p>\n

Fifty percent of Microsoft cybersecurity recovery engagements relate to ransomware,1<\/sup> and 61 percent of all breaches involve credentials.2<\/sup> In this second report in our ongoing Cyberattack Series, we look at the steps taken to discover, understand, and respond to a push-bombing request that targeted a legitimate user, allowing an attacker to authenticate and register their own mobile device.<\/p>\n

Credential-based attacks begin with the process of stealing or obtaining credentials illegitimately. Often attackers target individuals who they believe have the credentials they need, then conduct social and dark web research on them. Phishing emails and websites created to target corporate targets only need to succeed once to gain credentials that can be sold to and shared with other bad actors.<\/p>\n

Push-bombing is when an attacker uses a bot or script to trigger multiple access attempts with stolen or leaked credentials. The attempts trigger a rush of push notifications to the target user\u2019s device, which should be denied. But multiple attempts can confuse a target and cause them to mistakenly allow authentication. Other times, multifactor authentication fatigue can weigh on the target, causing them to believe the access attempts are legitimate. Just one mistaken \u201callow\u201d is all it takes for an attacker to gain access to an organization\u2019s applications, networks, or files.<\/p>\n

On average, people receive between 60 and 80 push notifications each day, with some of us viewing more than 200.3<\/sup> The time it takes to swipe, tap, flag, click, save, and close every ding, buzz, pop-up, text, and tab takes a toll. Researchers believe the onslaught of notifications is causing us to get tired faster and lose focus, leaving us especially prone to distraction as the day wears on.4<\/sup> This is what attackers count on. If an attacker gains the credentials to operate like a registered, legitimate user, identifying the intrusion and tracing their possible paths of destruction becomes paramount.<\/p>\n

Late last year, a large enterprise customer asked Microsoft Incident Response<\/a> to investigate an incursion into their on-premises Active Directory environment. Due to the risk of ongoing threats and the need for continued vigilance, the organization and attacker will be kept anonymous for this incident, and we will refer to it as \u201cthe inCREDible attack.\u201d This credential-based incident highlights the critical need for establishing healthy habits in our security maintenance processes to combat the regular, repeated, and overwhelming credential attacks faced by today\u2019s organizations.<\/p>\n

In this report, we examine the factors contributing to the threat actor\u2019s initial incursion and explore what could have happened without prompt, tactical mitigation efforts. Then we detail the required workstreams, recommended timing, and activities involved with regaining control and establishing a plan going forward. We\u2019ll also explore four core steps customers can take to \u201ceat their vegetables\u201d and establish healthy habits that help minimize the risk of attack. And then we share five elements of a defense-in-depth approach that can help businesses maintain a robust defense against ransomware attacks.<\/p>\n

Many attacks can be prevented\u2014or at least made more difficult\u2014through the implementation and maintenance of basic security controls. Organizations that “eat their vegetables” can strengthen their cybersecurity defenses and better protect against attacks. That means establishing a solid inventory of all technology assets, continually patching operating systems and software, and implementing comprehensive centralized log collection\u2014all while following a well-defined retention policy. Read the report<\/a><\/strong> to go deeper into the details of the push-bombing attack, including the response activity, and lessons that other organizations can learn from this inCREDible case.<\/p>\n

What is the Cyberattack Series?<\/h2>\n

With this Cyberattack Series, customers will discover how Microsoft incident responders investigate unique and notable exploits. For each attack story, we will share:<\/p>\n