Page 167 - Cyber Defense eMagazine March 2024
P. 167
This is a big story – not just because it’s Microsoft, but precisely because of the nature of the attack.
Threat actors love a “simple” hack. Credential stuffing is incredibly easy and presents a massive return
on investment. Threat actors love legitimate credentials for multiple reasons, including:
1. Access - Once I have credentials, I have access to the environment.
2. Observation – I can sit quietly in an environment and watch what happens – how does the IT
team work? What do your security people monitor for?
3. Escalation – Threat actors can profile out a network and deploy further tools to harvest more
credentials, deploy malware, or as we saw in the Midnight Blizzard attack, read emails.
As a threat actor, if all I must do is compromise an account, then I already have what I would normally
have to expend a lot of effort to gain – legitimate credentials. Once I have legitimate credentials in an
environment, it’s much easier to monitor traffic and learn what I need to do to mask my activity, making
it that much harder for defenders to catch me. There’s a reason the cybercriminal ecosystem exists – by
harvesting credentials and compiling them, threat actors can perpetrate these sorts of attacks and gain
legitimate access to environments, at which point the ball is in their court and they have control of the
game.
So how does all this tie into returning to basics? The important thing about the Microsoft story is not that
it was Midnight Blizzard – it’s that it was a basic credential stuffing attack against an unprotected account.
Microsoft is a three-trillion-dollar company – if this happened to them, it certainly could happen to you.
Credentials are traded by cybercriminal organizations all the time, both on the clear web and the dark
web. Ensuring you are doing your level best to protect your systems against these sorts of attacks will
reduce your threat profile and make it that much harder for a threat actor to gain access to your
environment. Be sure, they will gain access, but if they have to expend additional effort to get into your
environment rather than a simple credential stuffing attack, that gives you that much more time to detect
and evict them before they can wreak havoc.
How do you return to the basics? Take these as action items for your 2024 Back to Basics checklist:
1. Use complex, unique passwords. The proliferation of password management software makes
generating unique complex passwords for accounts extremely simple. NIST recommendations
around password management involve changing passwords only when compromise is suspected,
or every 365 days. This puts less pressure on your users to constantly evolve passwords they
have to memorize and gives you easier monitoring for your security team. Combined with
password managers, it is relatively easy to drastically improve the security of your passwords
beyond using !Spring2024!.
2. Use multi-factor authentication. It is 2024, not 2004. Multi-factor authentication being enabled
wherever possible is a must, not a maybe. The internet is chock-full of automated attacks just
waiting for an unsecured account. Multi-factor authentication comes with its own challenges, but
something is better than nothing when it comes to delaying tactics.
3. Monitor strange activity on accounts. If you’re using complex passwords and multi-factor
authentication, then the next step is to monitor for aberrant access. If someone logs in every day
from New York City, and then suddenly they log in from a foreign country, that could be an
indicator of compromise. While not every odd login is malicious, all malicious logins are odd.
Cyber Defense eMagazine – March 2024 Edition 167
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
