FIC 2023 Usernames and passwords at the heart of cyber threats

Now more than ever, hackers’ activities revolve around usernames and passwords. If companies fail to remedy this vulnerability as a priority, their activities could be crippled. This is the key message to emerge from a conference at FIC Europe 2023 given by Sébastien Baron, Technical Director at cybersecurity solutions publisher CrowdStrike, and Franck Perillier, Group CISO at real estate services provider Emeria.

80% of security vulnerabilities originate from compromised user accounts, as demonstrated by two recent, convergent studies carried out by Forrester Research and telecoms operator Verizon, respectively. Hackers adopt a chain of attack in which usernames and passwords are an Achilles heel whose security requires special attention.

For Sébastien Baron, Technical Director at CrowdStrike, this combination is indeed crucial. It cannot necessarily be detected by traditional EDR solutions installed in companies’ IT infrastructure to combat DDoS attacks, viruses, and ransomware. It therefore requires an entirely different approach to security.

Username black markets are prized among hackers

The CrowdStrike representative insists this point since usernames and passwords are sold by brokerage platforms on the dark web, where hackers can purchase entire leaked databases which they can then use for their own attacks. These databases generally include usernames, passwords, configuration data and session cookies, which are then used to gain undetected access to the systems of target companies.

Once this crucial information has been obtained, the tried-and-tested intrusion technique rolled out. The hacker logs into an existing account. Once inside, they can move around easily and target the Active Directory used to store information about a domain’s network resources. They can then create new user accounts with more extensive administration rights, which they can use to take over one or more of the company’s IT architecture domains. In the meantime, they can also tap into the most sensitive databases.

Network complexity increases the threat level

According to CrowdStrike’s 2023 Global Threat Report, 12% of intrusions are carried out using a valid account and 73% with a newly created account. For Franck Perillier, CISO at Emeria, the Active Directory is a particularly critical asset to a company’s IT security. It authenticates users and allows them to access various features according to their profile and assigned authorisation levels.

The larger and more international the company, the more complex its systems architecture, with a wider variety of applications, not all of which may be up to date, and with different technologies. Such companies also have multiple actors, both internal (such as developers, maintenance staff and ordinary users) and external (including suppliers, customers and service providers).

Observing behaviour while constantly raising awareness

This multiplicity makes computer systems vulnerable, especially if hackers manage to sneak into them. For Franck Perillier, one strategy is to analyse the behaviours of active, connected accounts in the system using tools such as the solution developed by CloudStrike, which enables the identification of suspicious accounts (especially by observing logs) and means that action can be taken before the intruder can mount a more extensive attack on the IT network and resources.

However, Emeria’s expert reminds us of that cyber-hygiene also requires users to apply security rules and protocols. Humans are a random factor that can cause breaches in the system when they use weak passwords like the typical « CompanyName123 » that hackers know by heart.

If raising awareness does not work, then a more coercive approach is needed. CrowdStrike’s solution can also identify accounts with weak passwords and force them to be changed, denying users access to the system for as long as the vulnerability remains. Even at the heart of technology, humans continue to play a fundamental role.