Mitigating the Use of Stolen Credentials
Download ACSC Protect: Mitigating the Use of Stolen Credentials (PDF), January 2019
First published 2012; updated 2012 and January 2019
Australian Government information is vulnerable to compromise through the use of stolen legitimate credentials on agency networks. These risks increase when users access sensitive information and services via remote access solutions, including Virtual Private Networks (VPN). This document explains the risks posed by the use of stolen credentials and how they can be mitigated.
Adversaries can impersonate a user without their knowledge
Stolen credentials can be used by an adversary to circumvent security measures which an organisation has implemented to protect sensitive information and services. With these legitimate credentials, an adversary can impersonate a user without their knowledge.
With legitimate credentials, an adversary can use remote access solutions to mask their activities and avoid detection. Failure to regularly audit logs from remote access solutions increases the risk and extent of a compromise.
While multi-factor authentication provides an additional layer of security, some implementations are more effective than others. Multi-factor authentication that has not been implemented or configured properly can result in a false sense of security and leave an organisation vulnerable.
The Essential Eight from the Strategies to Mitigate Cyber Security Incidents should be implemented as a minimum on networks. However, organisations that allow personnel to access their network via remote access solutions should implement the following additional mitigation strategies:
- Disable LanMan password support and cached credentials on workstations and servers, to make it harder for adversaries to crack password hashes.
- Implement network segmentation and segregation into security zones to protect sensitive information and critical services such as key business systems, user authentication and user directory information. Organisations should assign remote users with a lower level of trustworthiness and limit what they can remotely access on the organisation’s network. This includes not allowing direct remote access for privileged accounts.
- Centralise and time-synchronise logging of successful and failed computer events, and conduct regular log analysis. Logs should be stored and retained for at least 18 months. Analysis should focus on network administrators, senior executives and their personal support staff, and network access via remote access solutions.
- Monitor for:
- remote access credentials being used from two different IP addresses simultaneously
- remote access credentials being used from an IP address that geolocates to a country that a user is not physically located in
- remote access credentials being used from IP addresses that geolocate to different countries, where the elapsed time between the VPN accesses is insufficient for the user to have travelled between the countries
- a single IP address attempting to authenticate as multiple different users
- changes to the properties of user accounts, for example, activating the options ‘password never expires’, ‘enable reversible password encryption’, or ‘no lockout after X incorrect password attempts’.
- the re-enablement of previously disabled user accounts or addition of new user accounts.
The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.
The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.
Further information on the use of remote desktop clients for remote access, including associated risks, can be found in Using Remote Desktop Clients.
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing firstname.lastname@example.org or calling 1300 CYBER1 (1300 292 371).