Part 1: Getting Inside the Mind of a Hacker: Password Related CompromisesIt doesn’t matter whether you’re a military leader, a football coach, or a poker player. To defeat your enemy, you must think like them. By: Eric Escobar - Secureworks Adversary Group
- Credentials are compromised in a variety of ways, including hacked websites, predictable patterns and weak passwords.
- Companies from all business sectors often have similar security failings.
- Secureworks Adversary Group (SwAG) attempts to compromise your environment to test your current security posture in a real-world setting.
$85K - The average wire transfer sum requested in a Business Email Compromise attack in early 2021.
Read the 2021 State of the Threat Report
“Know thy enemy” is a principle that’s especially true for cybersecurity.
You can’t fully protect yourself by only taking a defensive posture from the inside. You must also view your environment from the outside—and understand how attackers will try to work their way in, around, and across. That’s why penetration testing and other outside-in security assessments are essential. And it’s why we take particular pride in our Secureworks Adversary Group (SwAG).
This is the first in a series of blogs sharing some of what SwAG has learned. These learnings are endless, because bad people never stop developing new exploits—and businesses never stop finding new ways to become vulnerable. So I’ll never run out of material. And you’ll never have a reason to stop reading.
Why Our SwAG Has “Swagga”
SwAG is a motley crew of tip top hackers. Hacking is an extraordinarily gratifying technical challenge. It’s like the ultimate quest game. Every digital obstacle course is one-of-a-kind. If you get past it, you’ve proven your skills—and your peers must acknowledge your awesomeness.
In fact, many hackers hack for the sheer thrill of it rather than for financial rewards.
Of course, financial rewards make the game highly lucrative for bad actors—especially now that they can mask their winnings with cryptocurrency. Financial rewards have dramatically increased the volume of malicious activity and made it possible to buy ready-made attack toolkits—as well as “attacks-as-a-service.”
But our SwAG team simply loves the challenge. Plus, we’re incredibly good at it. And we keep getting better the more we do it and the more we share expertise with each other.
The bottom line is that we attack our customers just like real enemies do. In fact, we’re even more thorough—because bad actors quit and move on to the next target if they don’t get results after a certain amount of effort. SwAG, on the other hand, keeps at it until we’ve found what needs finding.
You Oughta Know
That said, here are a few issues SwAG has been seeing crop up lately in customers’ environments:
Credential weak spots. Customers are usually pretty diligent about protecting services that are obviously exposed to potential over-the-network exploits—e.g., VPNs and cloud-based email. But it only takes a single neglected service to render your organization vulnerable. Common examples include:
- A printer unknowingly exposed to the internet
- A VIP/executive who refuses to use a VPN
- A firewall that SecOps was sure they’d configured to only allow access to a particular service via VPN—but that in reality lets us get to that service directly
Leaked passwords. Your security can be dangerously dependent on the security of popular websites. Unfortunately, those websites are under constant attack—and are therefore compromised more often than we’d like. The notorious LinkedIn breach, for example, disclosed 170 million usernames and passwords.
Billions of passwords have become available to bad actors in this way. But your users don’t necessarily realize that their stolen web credentials can help bad actors figure out their corporate credentials. So, they ignore the problem—leaving you vulnerable. The good news is that SwAG collects this breach data and can query it for users in your corporate domain. We can therefore help you remedy vulnerabilities associated with breached public websites.
Predictable password changes. Think you’ve enhanced your security by having users change passwords every 90 days? Well, here’s how some of your users “comply” with your policy while also making sure they can remember their passwords:
- January: januarY2021!
- April: apriL2021!
- July: julY2021!
Predictable, huh? Hackers would agree. That’s why SwAG also looks for such patterns—and when we find them, we let you know. The predictable password problem is also why we recommend rotating passwords less frequently, but do require them to be at least 15 characters long.
These are just a few of the Secureworks’ SwAG learnings that can benefit you. There are more to come. So check this space again in 30 days. Or sign up to get automatic notification when the next SwAG post goes up!