If you were (are?) a cyberthreat actor, what would you do with a cache of passwords stolen during a breach? You might be crafty enough to perform a targeted brute force attack against the source, or try to monetize your list by selling it on the Dark Web. The more subversive threat actors might link the data with other sources and build a larger repository of targets in the hope that the identities compromised reused passwords amongst multiple accounts and services. The most devilish threat actors may become persistent pickpockets and hammer on your web-based accounts until they break in. If you think this not possible, check out this old school-styled attack from just a few months back against the financial sector.
In addition, one devious method threat actors will use to gain persistent access into financial accounts is to massively extract funds from ATMs all at once and provide very little time for response before the transactions are complete. The Harvard Business Review has a good article on these types of threats. They can occur from vulnerabilities and exploits, or caches of pins and passwords that have been pilfered. You essentially have a privileged attack vector and are stealing money from everyone all at once. If you think this type of cyberattack vector happened only years ago and could not happen today since the indicators of compromise are well known, you’d be mistaken.
Understanding and Mitigating Password Pickpocket Threats
Any time an individual or group knows the password(s) from another group of people or resources, a pickpocket attack could occur. The most famous such incident in recent years involved Edward Snowden (and yes, everyone in the government and security industry is absolutely sick of hearing his name). Snowden obtained credentials from his co-workers illegally to steal information using heisted passwords and authorized data access terminals (workstations) to steal information. Users were unaware of the theft, passwords were not rotated, and information was stolen piece by piece to avoid detection. This type of slow, sinister data theft also happened to Yahoo and Starwood, albeit via slightly different privileged attack forms, and not all at once.
Unfortunately, this alone is not enough to fully understand the threat. Pickpocket password threats can be insider or external threats. They can happen in our personal lives and in any business, organization, or government. The threat is truly based around the concept of one entity knowing too many credentials and passwords for someone (or something) else. The credentials have been obtained illicitly, and the perpetrator has malicious intent in reusing them.
So we are left with a security dilemma, how to mitigate this type of threat. Here are a few strategies we should embrace to minimize the risk:
- Never reuse a password across any two resources. Every application and resource should have a unique password. Never, ever use the same credentials at home and at work. For businesses, consider a password manager that can store, automatically rotate, and provision passwords to appropriate individuals by role or persona. This prevents any pickpocket from accumulating passwords since the passwords are constantly changing and follow an entitlements model.
- If the solution supports MFA or 2FA - use it. If your password ever did get out into the wild, multi-factor and 2-factor technology can help safeguard unauthorized authentication attempts if a pickpocket has obtained them. In addition, using this technology with context-aware information (like source IP) will only strengthen the security model to prevent access from unauthorized geolocations.
- Frequently change your passwords. Or, to state this another way -- do not ever let your passwords stay the same and become stale. This aligns with the first recommendation. Often times, even when we manage passwords using a password manager, we do not force password rotation frequently enough; especially in our personal lives. Consider changing passwords as frequently as you change smoke detector batteries. Hopefully you do that at least twice a year and use daylight savings time as a reminder. Now, if you are a curious cybersecurity professional, you may argue that recent NIST guidance states that you do not need to rotate a user’s passwords frequently. That is true for standard users who never share or enter credentials repeatedly into various systems. However, this is not a best practice for service accounts, privileged accounts, or any other credential/password pair that might be known by more than one individual. This ties back to our premise of why pick-pocketed passwords and knowledge of them are a threat.
As privilege attack vectors continue to evolve, all organizations need to be aware of the threat of password pickpockets. Anyone on the inside, or outside, that has a vast knowledge of passwords obtained illegally is a potential pickpocket.
If you need to solve this password security problem within your business, please check out BeyondTrust Password Safe.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.