Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog

Cybersecurity Blog

Thought leadership. threat analysis, news and alerts.

Why Single Factor Authentication Isn’t Enough to Protect Your Organization’s Network

2/29/2020

0 Comments

 
single factor authentication

Why Single Factor Authentication Isn’t Enough to Protect Your Organization’s Network

Many of today’s cyberattacks have been successful, not because of advanced technology but because of one often ignored fact: the use of single factor authentication.

What Is Single Factor Authentication?

Single factor authentication is a cybersecurity measure that relies on the use of a username and password pair. While single factor authentication is commonly used in emails, this cybersecurity measure is also common as a perceived defensive measure in protecting endpoints – devices such as desktops and laptops that connect to a computer network and communicates back and forth with the network resources.

RDP Brute-Force Attacks

Single factor authentication has surprisingly been used as a defensive measure in protecting RDP, short for remote desktop protocol. RDP, a proprietary protocol developed by Microsoft, provides users with a graphical interface to connect to another computer over a network connection. In brute-forcing an RDP, a malicious actor attempts to sign in to an RDP with an administrator account by effectively guessing the correct username and password combination through a trial-and-error method. By successfully guessing the correct username and password combination, a malicious actor can gain access to a target computer and conduct further malicious activities such as stealing data, drop a ransomware or used the compromised computer for cryptocurrency mining.

In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks" published in December 2019, Microsoft Defender ATP Research Team reported that out of nearly 45,000 computers that had both RDP public IP connections and at least one network failed sign-in, the team found that, on average, several hundred computers per day had high probability of experiencing one or more RDP brute force attack attempts.

API Credential Stuffing Attacks

Threat actors also exploit the use of a single factor authentication in gaining access to the victims’ IT infrastructure such as cloud server through credential stuffing attacks. In a credential stuffing attack, an attacker uses the single factor authentication credentials stolen from other data breaches.

The difference between credential stuffing attack and brute force attack is that in credential stuffing attack, guesses are based on the stolen usernames and passwords, while in brute force attack, guesses have no bases at all, with some attempts using characters at random.

In the past 10 years, billions of username and password combinations have been stolen from different individuals and organizations around the globe. These stolen usernames and passwords are publicly made available online, while others are sold online on the dark web.

Haveibeenpwned, a site that allows internet users to check whether their personal data has been compromised by data breaches has within its records millions of user accounts. In April 2019, the group known as “GnosticPlayers” released online breached records of nearly one billion users, including usernames and passwords.

While the success rate of credential stuffing attacks is only about 0.1% – which means that for every 1,000 attempts, roughly only one will succeed, the sheer volume of stolen single authentication credentials makes credential stuffing worth it. The success rate of 0.1%, for instance, for one million attempts could lead to nearly 1,000 successful cracked accounts.

APIs, short for application programming interfaces, are favourite targets by malicious actors in their credential stuffing attacks. An API allows two systems to communicate with one another. APIs allow easy access to a third-party platform, for instance, cloud storage. From December 2017 to November 2019, Akamai reported that it observed nearly 85.5 billion credential stuffing attacks across its customer base. Out of the 85.5 billion credential stuffing attacks, Akamai said 16.5 billion of these attacks were directed against hostnames that were clearly identified as API endpoints – referring to one end of a communication channel such as a URL of a server.

Brute force attackers and credential stuffing attackers are unstoppable because systems allow users to guess as many username and password combinations without limit. While some mitigate these two types of attacks through throttling, attackers bypass throttling by staging a low and slow approach.

Akamai reported that credential stuffing attackers take advantage of the unlimited guesses by guessing tens of thousands of credentials in minutes. Microsoft Defender ATP Research Team, meanwhile, reported that RDP brute force attacks often last for 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

Botnets

Cybercriminals are able to launch millions of these brute force and credential stuffing attacks in just a short span of time through the use of internet bots – referring to software applications that run automated tasks over the internet. To automate brute force or credential stuffing attacks, botnets are used by attackers. Botnets refer to a group of hijacked computers and controlled by cybercriminals to conduct malicious activities such as brute force attacks, credential stuffing attacks and distributed denial-of-service (DDoS) attacks.

By utilizing botnets, attackers are able to launch several login attempts simultaneously. The use of botnets or group of hijacked computers makes it appear that the login attempts come from different computers from different locations. Some botnets hijacked a few thousands and some hijacked millions of computers. The use of botnets bypasses security measures such as banning IP addresses with too many failed logins.

The use of multi-factor authentication effectively blocks brute force and credential stuffing attacks. In multi-factor authentication, aside from the correct username and password combination, a user is asked to provide additional information such as access token, face ID or a fingerprint – generally, things that bots can’t provide.

While we always recommend a multi-factor authentication, in many cases, businesses don’t evaluate basic IT controls and fall victim to cyberattacks.

Connect with us today and our team will evaluate your IT controls to ensure that decision makers understand the business impact and clearly understand what they need to focus on, both long and short-term.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    Social Engineering
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security

    RSS Feed

1.888.900.DRIZ (3749)

Managed Services
Web Application Security
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
About us
Testimonials
​Meet the Team
​Subsidiaries
​
Contact us
​
Blog
Resources & Tools
​Incident Management Playbook
Privacy Policy | CASL
Copyright © 2021 Driz Group Inc. All Rights Reserved.
Photo used under Creative Commons from GotCredit