The MITRE Corporation is a non-profit, federally-funded research and development center (FFRDC) that, among other things, performs cybersecurity research and development. One of the cybersecurity products that has come out of MITRE is the MITRE ATT&CK Matrix, a tool that outlines the life cycle of a cybersecurity incident and categorizes various attacks into their applicable stages. As a result, it is possible to see the known methods for accomplishing any stage in the life cycle and potential security controls that can help to mitigate the threat.
One of the stages in the MITRE’s attack life cycle is the evasion of the defensive solutions put in place by the network defenders. This stage has many different options for attackers, one of which is the use of valid accounts.
Defense evasion using valid accounts
Most cybersecurity defenses are designed to be the equivalent of a lock on the front door. Anyone without a valid key should not be able to open the door without being noticed. As a result, attackers often have to find ways to circumvent these protections (similar to lock picking or breaking down the door).
However, another option for getting past a lock is stealing and using the key designed for it. If the theft of the key is subtle enough, then this method can be the most subtle option for gaining access. For cyberattackers that want a subtle approach, stealing and using valid credentials is a good option.
The issue with cybersecurity defenses is that absolute security isn’t possible: the defenses have to keep the “bad guys” out but also need to be able to let the “good guys” in. An attacker who manages to steal the access credentials of a “good guy” can therefore gain access to the system.
The use of valid accounts as a means of evading defenses has several different applications. Stolen credentials can be used to gain initial access to a system or used to increase the scope and utility of the attacker’s foothold on the system. Different accounts often have different levels of access and functionality on a system, so stealing and cracking password hashes on a computer or installing a keylogger to sniff users’ passwords can be a viable way for an attacker to achieve the level of access that they need to achieve their objectives. Alternatively, credentials shared between multiple systems in a network may allow the attacker to move laterally and compromise additional computers within the network.
Example of defense evasion using valid accounts
A common goal of phishing attacks is credential theft. These phishing emails are designed to mimic a legitimate communication from an organization that the recipient would trust and convince them of the necessity of taking some action. In the process, the victim enters their credentials into a webpage (controlled by the attacker), allowing the phisher to steal the credentials in question.
For example, you may receive an email from “Microsoft” saying that there was an issue with your Office365 account and that you need to log in immediately to correct it. The email will helpfully provide a link to the account in question that will end up at a login page. If you enter your credentials into the site, they’ll be sent to the phisher instead of Microsoft.
So far, all of this scenario falls under the spearphishing link attack classified in the MITRE ATT&CK matrix as a means of achieving initial access. At a minimum, the phisher now has access to the email account (which may hold sensitive personal or company information) and any accounts that use this account for password resets and/or two-factor authentication.
However, there is the potential for so much more. If email is integrated into your company’s network (and uses the same credentials), then the attacker can use your account to gain access to your computer at a minimum and potentially other ones where you are a legitimate user.
If you’re one of the 62% of people that reuses passwords across work and personal accounts, this recent comic from XKCD sums it up nicely.
Detection and mitigation
Detecting and mitigating the use of valid accounts to evade cybersecurity defenses requires going beyond the standard password-based system for user authentication. If an attacker has stolen a user’s credentials, it is necessary to be able to differentiate between the legitimate user and the attacker who has access to their credentials.
One means of doing so is performing behavioral monitoring and analysis of user accounts. If, for example, a particular employee typically only uses their computer for browsing the Internet and word processing, an alert should be raised if that account is suddenly using SSH to access other machines and performing database lookups.
Another way to find potential compromises involve correlating information from multiple sources, like identifying that a user is logged into multiple accounts simultaneously or that a user is “locally” using a computer when building access logs show that they’re not currently on-site.
Protecting against and mitigating attacks using valid accounts involves attempting to cut it off at every stage of its life cycle. A first step is attempting to prevent the compromise of the valid credentials in the first place, including:
- Scanning for and protecting against phishing emails
- Installing antivirus on all machines to detect keyloggers
- Monitoring for attempts to extract the /etc/shadow or SAM files containing password hashes
Efforts should also be made to minimize the impact of the breach of user credentials. Password management best practices should be enforced, including:
- Requiring strong passwords for all accounts
- Minimizing the scope and permissions of any accounts
- Periodically searching for unused or unauthorized domain or local accounts
- Monitoring for known breaches of user credentials (i.e. enabling alerts with Firefox, HaveIBeenPwned, etc.) and requiring a password reset if found
- Changing default credentials installed on all machines
- Periodically change SSH keys when possible
Conclusion: Protecting against misuse of valid accounts
Many systems use the password-based authentication model for managing access to systems and services despite the fact that passwords are shown again and again to be an insecure method of managing access. Augmenting password-based authentication with multi-factor authentication (MFA) is always a good idea, as well as not relying solely on passwords to manage access. Monitoring accounts for unusual behavior or evidence of a breach is an important component of protecting against this type of attack.