Account takeover attacks are a common tactic for cybercriminals. With access to a stolen username and password, an attacker can gain access to corporate resources with the privileges assigned to a legitimate user and a lower chance of detection than if they attempted to exploit unpatched vulnerabilities.
As corporate networks evolved rapidly in recent years, opportunities for account takeover attacks have grown. Managing the security risks of these attacks requires replacing legacy remote access solutions with modern ones, such as zero trust network access (ZTNA).
Increased Remote Work Opens New Attack Vectors
An account takeover attack requires the attacker to have two things. They need credentials for a user account and they need a means of accessing that account. Credential access can be achieved in a variety of ways – the COVID-19 pandemic and the forced transition to remote work made it much easier for cybercriminals to remotely access user accounts.
With the rapid switch to remote work, many companies have deployed corporate remote access solutions, such as virtual private networks (VPNs) or the remote desktop protocol (RDP). These solutions allow remote employees to access corporate resources, but they also expose a login portal to the public Internet. Cybercriminals can take advantage of this to make use of compromised credentials or to test if any of a set of potential credentials are valid.
Credential Theft is an Effective Tactic for Cybercriminals
Cybercriminals can steal verified user credentials in a variety of different ways. Phishing attacks can trick employees into submitting their login details to attacker-controlled sites or malware can harvest credentials from compromised machines.
However, the sudden rise of remote access solutions also makes it easier for cybercriminals to take advantage of poor password security habits. Since the start of the pandemic, password guessing attacks have been on the rise, including:
- Credential Spraying: A credential spraying attack tries the same password across multiple different accounts. This type of password guessing attack takes advantage of the fact that many people use the same weak passwords (such as 123456).
- Credential Stuffing: A credential stuffing attack tries to use a compromised password from one account to log into a user’s other accounts. This type of attack is effective because many people use the same password across multiple different online accounts.
A successful attack provides a cybercriminal with credentials that have been verified to provide access to an employee’s account on corporate systems. The attacker can then either use these credentials themselves or sell them to another hacking group for use in ransomware campaigns, data breaches, or other attacks.
According to the 2021 Cost of a Data Breach Report by IBM and Ponemon, 20% of data breaches were caused by compromised credentials. With an average cost of $4.24 million, these password security failings carry a heavy price for impacted companies.
Legacy Solutions Are Ill-Suited to Managing Cyber Risk
The COVID-19 pandemic made remote work necessary, and many companies are planning to sustain remote work beyond the end of the pandemic and potentially indefinitely. To do so, they need to implement remote work infrastructure that reduces their security risks to a level acceptable to the organization and that complies with regulatory obligations.
Legacy remote access solutions, such as VPNs and RDP, do not provide companies with the ability to meet these basic needs. VPNs and RDP do not implement access controls, providing an authenticated user with complete and unrestricted access to corporate resources. With the growing threat of compromised credentials and account takeover attacks, these devices leave corporate networks vulnerable to exploitation.
ZTNA Helps Mitigate the Risk of Account Takeover Attacks
A major failing of legacy remote access solutions is their lack of access controls and support for zero trust security protocols. With unrestricted access to corporate resources, a malicious insider or compromised account places the company at risk.
ZTNA is an alternative secure remote access solution that offers security designed for the modern enterprise. Instead of providing unrestricted access to corporate assets, ZTNA evaluates access requests on a case-by-case basis and approves or denies requests based on role-based access controls (RBACs) and contextual information, such as device location, timestamps, and other features. If the request is approved, the user is granted access only to the requested resource for the duration of their current session.
This approach to secure remote access provides protection against account takeover attacks by enabling a company to evaluate the legitimacy of a request before granting access and restricting access based on least privilege. ZTNA, which can be deployed as part of an integrated Secure Access Service Edge (SASE) solution, which offers converged network optimization and security, can help reduce the risk of compromised credentials, which are currently one of the most common ways that cybercriminals gain access for ransomware campaigns and data breaches.