What Is a Credential-Based Attack?

Karin Shopen


What Is Credential Theft, and Why Do Attackers Want Your Credentials?

Credential theft, the first stage of a credential-based attack, is the process of stealing credentials. Attackers commonly use phishing for credential theft, as it is fairly cheap and extremely efficient. Its effectiveness relies on human involvement in an attempt to deceive employees, unlike malware and exploits, which rely on weaknesses in security defenses.

Corporate credential theft is usually a targeted effort. Attackers scour social media sites such as LinkedIn, searching for specific users whose credentials will grant them access to critical data and information. The phishing emails and websites utilized in corporate credential theft are much more sophisticated than those used for consumer credential theft. Attackers put a great deal of effort into making these emails and websites look nearly identical to legitimate corporate applications and communications.

It is in this phase of credential-based attacks that security awareness training plays a role as the first line of defense. Unfortunately, there is no guarantee that employees will identify a phishing attempt 100 percent of the time. To minimize credential theft, corporate credentials should be limited to approved applications, and usage should be blocked from unlikely or unknown applications and sites. Security products need to block corporate credentials from ever leaving the organization’s network to malicious sites.

What is Credential Abuse?

Credential abuse, the endgame of a credential-based attack, is the actual use of compromised passwords to authenticate the applications from which attackers want to steal data. Once an attacker gets ahold of user credentials and passwords, he or she can either sell the credentials in the or use them to compromise an organization’s network, bypassing all security measures to keep an adversary out, move laterally within the network and steal data.

In an unsegmented environment, an attacker can move freely across an organization’s network. If the environment is segregated and provides visibility across users and applications, security measures can be put in place to prevent an attacker from moving laterally and gaining access to critical data.

Once an attacker has the credentials to operate like a valid user, there is very little that can be done to identify an intruder and validate if that user is really the person their credentials claim them to be. Organizations commonly implement multi-factor authentication within applications to require users to validate their identity more than once. However, doing this for every individual application used within the organization is not scalable. Implementing policy-based, multi-factor authentication at the network layer, meaning in the firewall, will provide the needed scale and end user ease of use.

The Palo Alto Networks Next-Generation Security Platform stops the credential-based attack lifecycle in multiple places, from the attacker’s ability to steal credentials to the abuse of stolen credentials. The combined prevention capabilities of the Next-Generation Firewall, Threat Prevention, WildFire and URL Filtering stops known and unknown attacks used for the theft and abuse of credentials, while GlobalProtect extends protections from the platform to mobile workforces and provides additional measures to identify users and devices that are accessing applications.

Learn more about preventing credential theft and abuse.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS