i³ Threat Advisory: Detecting and Preventing Credential Misuse and Compromise

  1. Enable and configure insider risk monitoring features such as employee work groups, hours of work, HR integrations, and credential storage access. 
  2. Either provide company-issued devices or have policy enforcement policies with contractors when individuals have access to sensitive information.  
  3. Have a corporate password management solution in place to facilitate easier detection of other solutions.  
  4. Have clear reporting lines and end-user training on what to do when receiving multiple MFA requests or out of the blue requests from what appears to be a “trusted” source.  

INTRODUCTION

The industry is increasingly recognizing the rise of blended attacks, where both internal and external factors contribute to compromise. What many might consider an external threat almost always has some form of ‘insider’ component, whether it’s a valid employee account, a user who has been socially engineered, a malicious insider, or a combination of all three. In any case, what cannot be underestimated is the power of the human element, and the role of behavioral data in the early detection and mitigation of insider risks.  

One of the most concerning use cases that operates at intersection of blended attacks relates to credential misuse. This Insider Threat Advisory (iTA) explores this growing threat, focusing on scenarios and public incidents where users have stored their corporate passwords either within their personal password managers or on their personal devices.  

Importantly, this iTA provides actionable detections and mitigations, with an emphasis on behavioral-based monitoring and analytics, as well as tangible applications for maturing an Insider Risk Management (IRM) program. 

CRITICAL REVIEW

Medibank: 2022 

One of the largest data breaches in Australia exposed the records of 9.6 million individuals on the dark web. This occurred when an external threat actor released the information after a ransom demand went unpaid. The threat actor gained access to the corporate network through the Virtual Private Network (VPN), since Multi-Factor Authentication (MFA) was not enabled on their account. 

What makes this breach unique is the traceability of the initial credentials. An IT contractor at Medibank logged into his work laptop and saved the credentials in his personal internet browser. These credentials were then synced to his personal computer, which was subsequently compromised by a Russian threat actor.  

This situation underscores the significant risks of employees or contractors blending personal accounts with work devices, which can lead to catastrophic consequences. 

Okta: 2023 

One significant incident involving Okta was the unauthorized access to its support case management system. Okta discovered that an employee had signed into their personal Google account via the Chrome browser on their Okta-managed laptop, saving service account credentials in the process. This likely led to credential exposure through the compromise of the employee’s personal Google account or device. 

That the laptop was managed by Okta highlights the organization’s role in securing work equipment, enabling the enforcement of security policies. However, preventing breaches involves having detection mechanisms to monitor the saving of corporate passwords in personal password managers. 

From an insider risk monitoring perspective, various methods can be employed, such as monitoring for unusual out-of-hours activity, detecting access from different locations, and identifying credentials stored in non-work-related applications. These indicators can help detect and mitigate potential insider risks before they lead to significant breaches. 

Cisco: 2022 

Cisco suffered a similar incident, when initial access to the Cisco VPN was achieved through the successful compromise of a Cisco employee’s personal Google account. 

The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in the browser, which then synchronized to their Google account. The breach was further exacerbated by vishing (voice phishing) and an MFA fatigue attack. 

It remains unclear whether the credentials were stolen from the user’s personal device or a work device. Nonetheless, implementing best practice mitigations and controls is crucial to enhance detection capabilities and minimize the risk of such compromises. 

Insider risk monitoring could have identified similar indicators to those seen in the Okta breach. Indicators that could be leveraged are the use of personal Google accounts or accessing the password management feature within a browser. This would have enabled insider risk and cybersecurity teams to detect and respond to the breach more promptly and effectively, potentially preventing or mitigating the impact of the incident. 

Uber: 2022 

Organizations like Uber handle unique types of Personally Identifiable Information (PII), such as detailed trip reports. In 2022, Uber revealed that an Uber EXT contractor’s account was compromised after an attacker likely purchased the contractor’s corporate password from the dark web following malware infection on the contractor’s personal device. The attacker repeatedly attempted to log into the contractor’s Uber account, triggering multiple two-factor authentication (2FA) requests. Initially blocked, one request was eventually accepted by the contractor, granting the attacker access. 

It’s unclear whether the laptops were managed by Uber or if policy enforcement agreements existed between Uber and the contractor. A robust reporting policy for handling anomalous MFA requests might have prevented this compromise. The attacker used the compromised account to access other employee accounts, leading to elevated permissions. Behavioral indicators from an insider risk management tool could have detected unusual activity early, triggering alerts and facilitating a quicker response to mitigate the breach’s impact. 

EARLY DETECTION AND MITIGATION

The DTEX i³ team recommends organizations implement the following controls to detect, deter, and disrupt insider risk activity associated with external threats that aim to leverage valid internal accounts.    

Enable and configure insider risk monitoring features   

Features such as employee work groups, hours of work, HR integrations, and credential storage access monitoring each contribute valuable insights for insider risk practitioners.  

  • Employee work groups: Work groups provide a comparative behavioral baseline, flagging deviations from established patterns. When work groups are enabled within a monitoring tool, detections are enhanced by allowing comparisons against group norms, which helps in detecting deviations from typical job responsibilities. 
  • Hours of work: For global organizations, monitoring hours of work can be complex. Having a forensic audit trail offers a way to track user behavior over time. It can also flag unusual situations, such as a user account appearing on an unexpected device, which may indicate suspicious activity. 
  • HR integrations: Integrating HR data can provide crucial context, such as employee leave or role changes. Coupled with hours of work and location data, this information helps in identifying anomalies related to employee availability and access patterns. 
  • Credential storage access monitoring: Monitoring how and where credentials are stored is critical for early detection of potential compromises. Ideally, organizations should implement mitigations to prevent employees from saving work credentials in personal accounts, like the mitigations mentioned here. DTEX InTERCEPT can use HTTP Inspection Filtering to detect and monitor instances where credentials are saved in browsers or potentially other applications, helping to identify risky behavior before it leads to a compromise. 

By leveraging these features, organizations can create a comprehensive insider risk detection strategy, enhancing their ability to identify and respond to potential security issues effectively.  

Provide company-issued devices 

In many frameworks, it is considered best practice to provide employees with company-issued devices for their work. This approach allows organizations to enforce and monitor security measures more effectively compared to using personal devices. For contractors, it is similarly advantageous to provide organization-managed devices for their tasks. If that isn’t feasible, at a minimum, implementing a stringent security policy that contractors must adhere to is essential. This ensures that security standards are maintained, and potential risks are minimized. 

Implement a corporate password management solution 

In this iTA, we have reviewed scenarios where browser-based password management solutions were exploited during a compromise. While we are not advising organizations to avoid these tools altogether, it is crucial to select a single, consistent password management solution. Having a single solution allows for better security measures, including monitoring and detection. Additionally, you can establish detections for the use of unauthorized password management solutions. 

Whichever solution you choose, ensure that Multi-Factor Authentication (MFA) is enabled as a critical security measure. 

Clear reporting procedures 

Formal, documented procedures are important because they provide a consistent framework for both IT support and end users, reducing the likelihood of misunderstandings and errors. Clear guidelines help ensure that support requests are verified and handled securely, while also offering a protocol for reporting suspicious activity, such as multiple MFA requests or unusual verification calls. This structured approach not only enhances the organization’s security posture but also builds trust and confidence among users by demonstrating a commitment to protecting their data and ensuring that any anomalies are addressed promptly and effectively. 

INVESTIGATION

The early detection and mitigation recommendations above highlight both technical and non-technical controls that can be used to detect compromised credentials within the environment. These controls range from detections through MFA brute force to behavior detections comparing changes in user activity, and the most prominent control are the employees’ reporting of suspicious activity like multiple MFA requests.

As your insider risk management programs continue to mature, there are many opportunities to be proactive in identifying behavior that can lead to compromise.

This iTA highlights the risk of credential misuse, when corporate credentials are stored in a browser’s password manager. Detecting this activity will be explained in this section, however, the following mitigations should be implemented as a best practice to decrease both the potential attack surface, and benign escalated behaviors for analysts.

CONCLUSION

The attraction of insiders as a vector for infiltration and compromise is not going away. As security programs and technologies evolve, external threat actors are increasingly homing in on the insider; in the eyes of an adversary, it is sometimes far easier to trick an insider than it is to rely on malware alone. The advent of AI introduced even more complexity, enabling attackers to advance their social engineering capabilities at speeds and scale never seen before.  

To defend against these sophisticated threats, organizations must adopt a multi-layered security approach that leans into both behavioral and technical sciences. This approach encompasses technical controls, detection, and monitoring systems, and a comprehensive end-user education program. Omitting any one of these components creates vulnerabilities that could be exploited by determined attackers.  

INVESTIGATIONS SUPPORT

For intelligence or investigations support, contact DTEX iteam. Extra attention should be taken when implementing behavioral indicators on large enterprise deployments.

RESOURCES

[1] Unauthorized Access to Okta’s Support Case Management System: Root Cause and Remediation | Okta Security 

[2] Cisco Talos shares insights related to recent cyber attack on Cisco (talosintelligence.com) 

[3] Uber Newsroom 

DTEX i3 2024 Insider Risk Investigations Report   

DTEX Release Notes 

Insider Threat Practitioner On-Boarding