Detecting credential stuffing and lateral movement attacks

The cybersecurity threat landscape is always evolving, and organizations need to stay on top of its developments to be better prepared to ward off attackers lurking in the shadows. Attackers employ various techniques to break into an organization's network, causing significant monetary and reputation losses. In this blog, we'll discuss two techniques that, when executed successfully, can cause irreparable damage to an organization.

Credential stuffing

Credential stuffing is a method in which attackers steal credentials or buy them, and use those credentials to try and log in to user accounts using automated bots. According to F5's 2021 Credential Stuffing Report, these incidents have nearly doubled between 2016 and 2020.

Credential stuffing is often confused with a brute-force attack. The difference between the two lies in the fact that instead of trying out every possible combination as a password to log in, credential stuffing makes use of stolen user credentials. A credential stuffing attack is thus more likely to succeed than a brute-force attack.

How it works

Stolen credentials from breached databases are commonly sold on hacker forums and the dark web, allowing an attacker to easily get a hold of them if they're willing to pay the price. Then, the attacker employs botnets and other automated tools that can stuff these stolen credentials into the login pages of several websites. Credential stuffing banks on the fact that users tend to reuse passwords across multiple platforms. So, if a user uses the same login credentials for a previously breached website and a website on which a credential attack has been mounted, they're more likely to fall victim to such an attack.

How to detect and prevent credential stuffing attacks

There are a few telltale signs that indicate a credential stuffing attack has been executed.

1. When an attack is in progress, since multiple passwords are tried on several user accounts, this results in a sharp increase in the user login traffic in a short span of time. These spikes in traffic specific to certain activities can be monitored and analyzed to detect credential stuffing attacks.
2. As thousands of credentials are stuffed in the hope of getting at least a few right, it's inevitable that an attack of this sort results in numerous failed login attempts. To combat this, organizations should enforce multi-factor authentication and employ timeouts after a certain number of failed attempts.
3. Password reuse is the most significant factor in a credential stuffing attack, and it can mean the difference between an attempted and a successful attack. Organizations can instruct users to employ distinct passwords across different platforms, and to change their passwords after regular intervals of time to ensure proper IT hygiene.

Credential stuffing attacks typically lead to subsequent lateral movement attacks. Let's take a look at lateral movement in detail.

Lateral movement

In this technique, attackers move through a network to look for vulnerabilities and escalate privileges. This helps the attackers get a better idea of the network's internal mapping and identify targets to help them launch a full-scale attack on the organization.

How it works

The attacker first compromises an account and gains access to the organization's network—this can be done via phishing, credential stuffing, brute-force attacks, or other similar techniques. Once inside the network, they attempt to break into other systems by using keyloggers and phishing tools to trick other users into disclosing credentials. They continue traversing the network until they reach their ultimate goal—domain administrator privileges—which provides them complete control over the organization's network, allowing them to control the domain.

The account that's initially compromised is often a low-privilege account with which nothing significant can be achieved by the attacker, requiring them to access accounts with higher privileges in order to cause any real damage to the organization.

How to detect lateral movement

Detecting lateral movement in a network can be difficult because it may appear like normal network activity, but here are a few things to keep in mind.

• Since lateral movement invariably starts with a compromised endpoint device, it's important to ensure that the endpoint detection and response system in place is up to date and in the best position to look for and eliminate threats.
• Once they're in the network, attackers exhibit behavior that may not trigger alerts by security systems, but is still different from the actual user's behavior. This is where behavior analysis comes into play. Organizations should employ a security information and event management (SIEM) solution with user and entity behavior analytics (UEBA), which forms a baseline of user behavior and triggers an alert if any deviation from the baseline is detected.
• While deploying a SIEM solution, make sure that only the required logs are collected and alerts raised. Otherwise, you run the risk of alert fatigue due to the sheer number of alerts generated, and an equally high number of false positives. It's only a matter of time before a critical alert is missed.
• Organizations should reassess their security strategies to make sure that the proper systems are in place. Apart from having a strong security setup, it's also important to proactively look for threats and vulnerabilities within the network.

Cyberattacks are a harsh reality, and attackers will continue trying new ways to breach organizations' security; attacks like credential stuffing and lateral movement are just the tip of the iceberg. With a proper security and log management solution such as Log360 in place, organizations can ensure they're fortifying their network against these attacks.

Check out Log360's fully functional, 30-day, free trial now to start protecting your network.