Domain credential theft have become a major issue. According to statistics, there are 15 billion stolen usernames and passwords circulating on the dark web. Additionally, credential theft grew by more than 300% from 2018 to 2020. Cyberattackers reuse stolen domain credentials to log in to operating systems and bypass local security authorities.
Cybercriminals can dump stolen domain credentials on local security authority subsystem service memory and use tools or execute commands to identify passwords they can reuse. Usually, domain credentials are created when logon data is authenticated by a registered security package. The domain credentials can be used both on the same domains as well as on different domains.
Thankfully, cross-domain use will be visible by the user being authenticated. To turn on this feature, you will have to use active directory trust capabilities. This can enable cross-domain authentication. Despite this, the second domain will still have to seek permission to perform high privilege operations.
In this article, you will learn about seven things you can do to minimize the risk of domain credential theft.
Most system and network administrators use interactive logon when they are managing remote computers. This problem with this approach is that it exposes your credentials which increases the risk of these credentials getting stolen. Thankfully, there are better ways to manage remote computers without leaving your credentials behind. Instead of using interactive logons, you can use network logon methods and Microsoft restricted admin feature. It is more secure and more effective as compared to interactive logon.
Try to avoid interactive logon where possible. Even if you are using interactive logon, make sure you closely monitor those events. Whenever an interactive logon takes place, an event called 4624 is created. This makes it easy for you to detect interactive logons. You can also track which users have logged in using interactive logon. Keep an eye on IP addresses, computers that performed those authentication and the ID of the process.
Did you know that Windows 10 has a credential guard feature? I can bet you have not heard about this feature let alone use it. It uses a virtual machine to safeguard your credentials from dumping tools cybercriminals use. That does not mean that your credentials are hacker-proof because cybercriminals can still bypass this credential guard feature with access tokens. Instead of solely relying on it to protect your domain credentials, you should combine it with other security measures to increase its effectiveness.
Another step you can take to secure your domain credentials is to activate Protected Process Light (PPL). It provides protection from the local security authority subsystem service process. This prevents cybercriminals from dumping domain credentials on memory and stealing passwords. Hackers can even bypass this by using different tools and tactics but it is highly recommended that you turn on this feature in order to protect passwords that were being saved in memory from getting stolen.
Multi-factor authentication adds extra security layers and prevents hackers from access your account even if they have managed to steal your credentials. That is why most cybersecurity professionals recommend using multi-factor authentication. Yes, it might make the login process a bit more cumbersome for users but if the security of your accounts is your main concern, you must implement multi-factor authentication.
When implementing multi-factor authentication, here are few mistakes you should not make.
Microsoft provides a feature called “Protected Users Group” in Active Directory. This feature only limits users to Kerberos tickets for authentication purposes. Two of the biggest advantages of Kerberos tickets is that these tickets expire after a short span of time and they can not be renewed once they expire. Due to this, it can protect your business from credential theft and abuse.
Last but certainly not least is to think like a cybercriminal. Once you start seeing vulnerabilities from a hacker’s perspective, you can do a much better job at mitigating the risk of cyberattacks. You can also launch mock attacks on your best-dedicated servers or cloud network to identify vulnerabilities in your systems. This allows you to plug in those loopholes before they can be exploited by cybercriminals.
Attack-centric exposure prioritization is also an effective method. It starts off by identifying all the critical assets and all the critical paths attackers can follow to launch an attack. After outlining the critical path which leads to a critical asset, it creates a remediation plan to help your security team take the right steps to negate the damage cybercriminals can do.
How do you mitigate the risk of domain credential theft? Share it with us in the comments section below.