As bad actors often simply waltz through companies' digital front doors with a key, here's how to keep your own door firmly locked tight
Why break a door down and set the house alarm off when you have a key and a code to walk in silently? This is the rationale behind a trend in cybersecurity where adversaries are increasingly looking to steal passwords, and even authentication tokens and session cookies to bypass MFA codes so they can access networks by masquerading as legitimate users.
According to Verizon, "use of stolen credentials" has been one of the most popular methods for gaining initial access over recent years. The use of stolen credentials appeared in a third (32%) of data breaches last year, its report notes. However, while there are several ways threat actors can get hold of credentials, there are also plenty of opportunities to stop them.
According to one estimate, over 3.2 billion credentials were stolen from global businesses in 2024, a 33% annual increase. With the access these provide to corporate accounts, threat actors can effectively slip into the shadows while plotting their next move. This might involve some more advanced forms of criminal exploitation, for example:
By working through these steps, an adversary could also carry out highly successful ransomware and other campaigns.
Threat actors have developed various ways to compromise your employees' corporate credentials or, in some cases, even their MFA codes. They include:
The past few years have been awash with real-world examples of password compromise leading to major security incidents. They include:
All of which makes it more important than ever to protect your employees' passwords, make logins more secure, and monitor the IT environment more closely for the tell-tale signs of a breach.
Much of this can be achieved by following a Zero Trust approach based around the tenet: never trust, always verify. It means adopting risk-based authentication at the "perimeter" and then at various stages within a segmented network. Users and devices should be assessed and scored based on their risk profile, which can be calculated from time and location of login, device type, and session behavior. To bolster your organization's protection from unauthorized access and to ensure compliance with regulations, rock-solid multi-factor authentication (MFA) is also a non-negotiable line of defense.
You should complement this approach with updated training and awareness programs for employees, including real-world simulations using the latest social engineering techniques. Strict policies and tools preventing users from visiting risky sites (where infostealers might lurk) are also important, as is security software on all servers, endpoints and other devices, and continuous monitoring tools to spot suspicious behavior. The latter will help you to detect adversaries that may be inside your network courtesy of a compromised credential. Indeed, organizations also need to have a way of reducing the damage a compromised account can do, for example by following the principle of least privilege. Finally, dark web monitoring can help you check if any enterprise credentials are up for sale on the cybercrime underground.
More broadly, consider enlisting the help of an expert third party via a managed detection and response (MDR) service. especially if your company is short on resources. In addition to lower total cost of ownership, a reputable MDR provider brings subject-matter expertise, round-the-clock monitoring and threat hunting, and access to analysts who understand the nuances of credential-based intrusions and can also accelerate incident response if compromised accounts are detected.