Credential Theft Prevention in a Remote-First World

The COVID-19 pandemic of 2020 completely changed how we work, collaborate and conduct business around the world. Within the span of just a few weeks, 88 percent of global organizations encouraged or were suddenly required to support a remote workforce, quickly adapting new policies, procedures and processes to accommodate work-from-home (WFH) directives; often for the first time in company history. This new way of doing business requires a renewed focus on security, particularly to address external threats such as credential theft prevention, data leakage detection and more.

And while there were certainly growing pains that came with a global health crisis forcing the hand of digital transformation, many companies quickly embraced and adapted to this new remote-first work environment. According to a recent survey conducted by Upwork, “68 percent of hiring managers say remote work is going more smoothly now than when their company first made the shift to it at the start of the pandemic.” Additionally, that same survey revealed that 1 in 4 Americans would be working remotely in 2021, and by 2025, 36.2 million Americans will be working remotely, an 87 percent increase from March of 2020.

It is evident that digital businesses will continue to support and evolve their remote workforce policies as we shift toward a post-pandemic environment. With an increasing volume of employees working from home, cybersecurity continues to be a top priority among organizations where their employees rely heavily on digital platforms to work and collaborate remotely. 

Last year, ZeroFox identified a greater than 60% uptick in digital threats targeting platforms used by remote workers via phishing attacks, online scams, and exploiting system vulnerabilities. These attacks resulted in substantial increases in leaks and breaches, that exposed sensitive data, including passwords and login credentials. 

As working from home becomes increasingly prevalent, it is critical for security teams to be aware of the risks of credential compromise and to take proactive measures towards credential theft prevention to protect remote workers.

What is Credential Theft?

Credential theft refers to the illicit act of stealing a victim’s digital verification of “proof of identity” (often in the form of usernames, emails and passwords) that can be used to authenticate with or gain access to secure systems, accounts, networks, etc.

Despite technology’s constant innovation and evolution, leveraging compromised credentials remains one of the oldest and most effective vulnerabilities a threat actor can exploit, as they often provide the gateway for breaches and even ransom attacks. And depending on the access levels of a given set of credentials (such as those attributed to an administrator with access privileges to highly secure systems), they could be considered the coveted “keys to the kingdom” an adversary seeks to compromise an organization’s entire digital infrastructure.

According to the Verizon 2021 Data Breach Investigations Report, 61 percent of data breaches were attributed to stolen credentials. The report also found credentials to be “one of the most sought after data types” by threat actors and were found to be the fastest data type to be compromised in a breach. This makes compromised credentials highly lucrative commodities on hacker forums and dark web marketplaces.

How Credential Theft Happens

One of the most common methods threat actors use to steal user credentials is through sophisticated, multi-channel phishing (or the more targeted spear-phishing) attack campaigns centered around malicious or spoofed domains. These domains are often easily stood up via user-friendly and widely distributed phishing kits, providing threat actors a simple and effective method to harvest user victims’ credentials.

Financial organizations are especially susceptible to these types of attacks. According to a 2020 InfoSec guide, ZeroFox identified 440,000 instances of compromised credentials within the Banking and Financial Services verticals and 443,000 potentially malicious domains related to FinServ customers.

Credentials can also become compromised via malware and security exploits, social engineering and vishing, weak passwords, brute-force attacks, or through other data leaks and breaches.

Impacts of Increase in Remote Work

As many predicted, the sudden and rapid shift to remote work and cloud technologies in light of the pandemic emboldened threat actors as many organizations scrambled to adapt. Cases of phishing, scams and credential theft dramatically increased. In the fall of last year, the Federal Trade Commission posted a data spotlight blog highlighting the correlation between online scams proliferating on social media post-pandemic and just recently revealed that reports of identity theft doubled year over year. 

ZeroFox also saw a 519 percent year over year increase in security incidents specifically related to scams (often targeting user credentials), further corroborating a link with remote work and requiring credential theft prevention.

Despite the pandemic forcing organizations to rapidly accelerate their reliance on cloud-enabled remote work environments, threat actors have not changed tried and true attack techniques significantly. According to ZeroFox’s Future of Digital Threats: 2020 Insights, 2021 Predictions report, one of the key insights highlighted in 2020 was that “hackers are going to hack.” A blog recapping the report states: “hackers have not fundamentally altered their operations, but rather modified existing practices to fit the tech stack they encounter. The largest problem with cloud-based services is still human error and misconfigurations.” 

While common modes of attack like phishing, malware distribution or exploiting weak security policies aren’t going out of style, threat actors are evolving how these tactics are executed to steal user credentials. 

For example, the same digital threat report notes that threat actors utilized a combination of vishing and classic phishing login scams to exploit remote employees just getting their bearings in a new “work from home” environment. The operation involved threat actors instructing unsuspecting victims over the phone to fake VPN login portal sites used to siphon usernames, emails and passwords. 

Protecting Your Organization

Now a year removed from the beginning of the pandemic, all signs point to continued trends of credential threats and attacks throughout 2021 and beyond. Fortunately, there are some steps security teams can take to protect remote employees from credential theft.

Update Remote Security Policies and Reinforce Best Practices

Now that many organizations have made the jump to a remote work environment, it’s imperative that security teams re-evaluate their policies, controls and procedures. They must also commit to enforcing security best practices to mitigate compromised credentials. Some of these should include:

• Requiring strong, mixed-case passwords that are changed regularly
• Requiring multi-factor authentication and limiting credentials to approved applications 
• Setting up user privileges and regularly tracking employee access, roles and permissions for systems, hardware and other critical assets
• Conducting regular vulnerability assessments to identify gaps
• Establishing processes for identifying, isolating and remediating breached devices and accounts
• Utilize automation to trigger mandatory password resets when compromised credentials are discovered (such as a data leak on a known dark web hacker forum)

Double Down on Education

With many people now working from home, it’s important now more than ever that remote employees understand how phishing, scams,  and credential theft work and how threat actors operate. Some things you can do to educate your employees include:

• Hold regular security training sessions that break down threat actor tactics and provide best practices on how to avoid credential theft
• Conduct random phishing tests to keep remote employees vigilant
• Leverage threat advisories and finished intelligence reports to stay up-to-date with new threats, trends and attack techniques

Monitor the Public Attack Surface

As previously mentioned, threat actors have largely doubled down on existing attack tactics in their efforts to steal user credentials. This means that your security teams should regularly monitor for looming threats emanating from the public attack surface. The sooner these threats are discovered, the sooner you can take action to remediate. 

Some threats include executive and brand account impersonations on social media and collaborative chat channels and spoofed corporate domains used for propping up phishing websites and sending malicious emails.

Plan For the Future

As remote work continues to rise and become more normalized in digital organizations, your security teams must be committed to building and evolving the infrastructure needed to support employees and sustain operations. Be proactive in adapting new technologies into your stack, but be careful not to let old or legacy services and policies go unmanaged (such as those established pre-pandemic). This “abandoning of old technologies” can often leave many doors open for adversaries to exploit and provide ample opportunities for credential theft.

Taking the Next Step Towards Credential Theft Prevention

The working environment dramatically changed in 2020 due to the unforeseen global crisis in COVID-19. A year later, digital organizations and security outfits have much to reflect and learn from to secure remote employees’ private credentials. Read more on how ZeroFox helps mitigate credential theft and protect corporate and physical security in our Corporate Security Solution Kit.