5 reasons why credential-based attacks are on the rise - and how you can stop them in their tracks

Credential-based attacks are increasingly prevalent, making up the majority of successful breaches today.

As organizations strive to secure their systems from intrusion, it’s clear that credential security must be a priority.

In this newsletter, we’ll examine the top reasons why malicious actors prefer this attack vector - and what you can do to stop them.

Attackers are walking in through the front door

According to a Verizon Data Breach Investigation Report (DBIR), 61% of attacks involved compromised credentials.

It was also the top attack method in the 2024 DBIR report – closely followed by related phishing/social engineering activities and human error.

Stolen credentials allow cyberattackers to gain access to your systems, sneaking-in through the front door, under the guise of a legitimate user.

Once inside, they can wreak havoc by rapidly creating new accounts, escalating privileges, and moving laterally to compromise your security estate.

5 reasons why credentials attacks are so prevalent today

Financial gain is the primary driver for cyberattacks, and stolen credentials can be used by malicious actors to profit from these breaches in a wide variety of ways.

1: Selling credentials to other cybercriminals

There is a thriving market on the dark web for stolen credentials. According to research by Forbes, there are more than 15 billion stolen credentials in circulation at any one time on these marketplaces and forums.

2: Identity theft

By taking over a legitimate account, cyber criminals can start to steal the user’s identity. In a short time, they can gain access to email accounts, bank accounts, and social media profiles. From here, they can start to gain fraudulent access to funds, and expand their attacks through impersonation.

3: Blackmail and extortion

This is a common way for attackers to extract funds from victims. Cybercriminals use their position of privileged access to threaten victims with data loss or data leaks, demanding hefty ransom payments in exchange for giving back access. In many cases, ransom payments make no difference, and criminals will go on to release or sell the data and/or credentials to other malicious actors anyway.

4: Nation-state attacks

A trend in recent years has been the emergence of state-sponsored attacks with a geopolitical aim. This results in attacks that target a large customer base using the cloud and MSPs as a vector for expanding their impact horizontally across multiple systems.

We’ve seen attacks like these work their way into the supply chain to paralyze universities, airports, hospitals and organizations of numerous kinds. These attacks typically start with simple credential theft. Phishing is a common technique for gaining passwords or access keys. From here, malware is installed to surreptitiously pick up more usernames and passwords.

5: Exploiting reputational damage

This is another type of extortion, but instead of leveraging the organization’s desire to reclaim access to data, it uses your brand’s reputation instead.

By threatening to expose the fact that the brand has been compromised, attackers take advantage of an organization’s current reputation and standing. As with ransomware, however, there’s no guarantee that payment will prevent cybercriminals from announcing their breach to the world, or the release/sale of customer data. The damage from these attacks can be very long-lasting and can affect stock value for years afterwards.

In the case of the 2017 Equifax breach, stock plummeted by more than 25% in the days after it was announced, and it did not regain its previous value until two years later.

How attackers gain your credentials

Phishing and social engineering are the most efficient ways for cybercriminals to initially extract credentials from users.

Following the capture of legitimate credentials, they may employ credential dumping or brute force techniques to widen their impact and escalate privileges.

Automated open-source tools for credential dumping are easily accessible and can retrieve hash values or plain text passwords stored in databases, memory, or web browsers.

Credential dumping is a worrying technique, as there are numerous places where credentials are stored on endpoints: browser login details, password managers, secret tokens, session cookies, private keys and certificates, to name a few.

What organizations can do to protect themselves from credentials-based attacks

Given the multiple ways that cybercriminals can steal credentials, it is imperative that organizations employ the most comprehensive credential protection available, in combination with training and robust procedures.

Key strategies include Identity Access Management/ Privileged Access Management (IAM/PAM), multi-factor authentication (MFA), training on threats and common techniques used by attackers (i.e. spear phishing), and constant monitoring of your IT environment for unusual behavior patterns.

Besides all these measurements, you should also use a solution that can protect your credentials whenever they are stored or used. SentinelOne’s Singularity Identity can help in that area. We can stop credential theft at the earliest stages of an attack cycle.

It also takes measures that protect credentials from untrusted applications, including:

• Real credentials are cloaked by Singularity Identity, so they’re invisible to adversaries and their tools.
• It also binds credentials to critical applications, so that saved credentials can only be read by the corresponding approved application.
• And, to keep attackers busy this tool also deploys deceptive artifacts, including fake credentials, accounts, and files. These are designed to trick cybercriminals into targeting decoy artifacts from an endpoint.

These techniques not only keep them occupied, they also trick them into revealing themselves as soon as they start using the fake credentials.

So, while credential theft will remain a popular and efficient way for attackers to try and gain access, you can consistently deny it to them.

At SentinelOne, we constantly monitor the latest trends and tactics, so we can keep one step ahead and keep your critical systems running. Our platform uses its own dedicated AI to hunt for threats and to detect attacks using advanced behavioural analysis. Find out more about SentinelOne here.