Illusive Blog November 30, 2022

Anatomy of an ATO: How to Prevent and Detect Account Takeover Attacks

By Mark Jaffe
Account Takeover, ITDR

Account takeover attacks (ATO) are horrible – with an emphasis on horror. Movies like Invasion of the Body Snatchers have incorporated tropes like evil twins and assimilation because they tap into a primordial fear of the unknown, making it impossible to know who to trust.

Unfortunately, for most security teams, this is their reality. Once a threat actor gains access to a sufficiently privileged identity – like an alien assimilating its victim – they can go wherever they want to go and do whatever they want to do, under the guise of the privileged account they have compromised.

Threat actors are increasingly focused on privileged identity ATOs because they can compromise organizations much more easily and stealthily, as opposed to the time and effort involved in exploiting software vulnerabilities. ATOs enable attackers to complete their attack in days instead of months – with minimal risk of detection.

Dissecting an ATO

An ATO typically begins by gaining access to an enterprise account on an endpoint, either via phishing, malware designed to steal cached credentials, and even malicious insiders. There is a robust black market on the dark web, where initial access brokers sell VPN and RDP credentials to the highest bidder. Alternatively, attackers can gain access through brute force attacks or by Kerberoasting privileged accounts with weak passwords.

Once an attacker establishes an endpoint beachhead, they leverage open source attack tools to gain the Local Administrator privileges needed to disable endpoint security agents (e.g., EDR). With a low risk of being detected, they most commonly move to download other tools that steal any credentials that are stored in the local system’s memory, such as cached credentials on endpoints, in browsers and other applications. Essentially, these attacks use whatever credentials they can discover to continue their lateral movement and privilege escalation on the way to their ultimate goal, whether it be establishing persistence, data breach or ransomware.

Cybercriminals are taking advantage of this greenfield of low-hanging fruit because organizations have large numbers of privileged accounts and continue to provision more and more – to both internal employees and third parties – overwhelming their ability to fully deploy and manage the complex systems required to protect all these accounts.

For an example of an ATO, a widely-reported Lapsus$ attack resulted in the ransomware group gaining control of Admin access across several services. The attack began through a compromised RDP session, which the attacker used to escalate its privileges and terminate the FireEye endpoint agent – leaving Lapsus$ undetectable. From there, Lapsus$ used Mimikatz, an open source credential dumping tool, to steal passwords from LastPass, a password manager. Using these passwords, Lapsus$ was able to create a new user account and add that user to the TenantAdmin group. Game over!

The victim of this attack reported that there were no indicators of compromise (IOCs). In fact, attackers are keenly aware of the difficulty security teams have had in detecting attacks of this nature – even beyond the ability of an attacker to terminate endpoint security agents – because it is challenging to distinguish between a legitimate user and an adversary that has taken over the account.

So how exactly is an organization supposed to prevent and detect an attack with no IOCs?

How to Prevent and Detect ATOs

There are many challenges with preventing and detecting an account takeover attack, but ultimately all roads lead to identity security. Preventing ATOs requires a fundamental approach to basic identity security hygiene: ensuring that privileged accounts are enrolled in privileged access management (PAM) solutions as soon as possible, enforcing strong password policies, eliminating unintended shadow admin accounts, and removing cached credentials from endpoints – just to name a few.

Illusive research has revealed that unmanaged, misconfigured and exposed identity vulnerabilities, which are exploited in ATOs, are present on 1-in-6 enterprise endpoints. Furthermore, the theft of cached credentials has become the most common attack.

It is simple to say that organizations need to clean cached credentials off their endpoints or to enroll privileged accounts into PAM, but just like building any healthy habit it is usually easier said than done. Without going into too many details, organizations are challenged by a lack of visibility into these misconfigurations and exposures – you can read more about these issues with PAM deployments.

On the other hand, some identity vulnerabilities cannot be remediated, such as hard coded credentials in legacy applications. In these instances, detection needs to serve as a compensating control, but the challenge is that behavioral analysis fails to detect anomalies in privileged accounts (or does so with an unmanageable rate of false positives and negatives).

However, deception technology is able to provide high-fidelity detection of account takeover attacks. Modern deception technology has evolved beyond honeypots (which are far too easily detected and avoided by attackers) by peppering endpoints with highly realistic and believable identities, services, network pathways and other artifacts. hen an attacker interacts with one of these fake artifacts, a high-confidence alert is triggered because these deceptions are planted in places that end-users should never interact with them.

Illusive Identity Threat Detection and Response

Illusive’s identity threat detection and response (ITDR) solution, Illusive SpotlightTM and Illusive ShadowTM enable organizations to prevent and detect account takeover attacks (as well as a wide variety of other identity-related threats).

Illusive Spotlight automatically and continuously delivers comprehensive visibility into unmanaged, misconfigured and exposed identity vulnerabilities with the context security teams need to prioritize their remediation efforts. In fact, organizations can even automate the remediation of certain tasks that will not negatively impact the business, such as eliminating exposed credentials from endpoints.

Illusive Shadow delivers high-fidelity deception-based detection for vulnerable identities that cannot be remediated and for the detection of attacker lateral movement that security controls, such as endpoint and network systems fail to detect.

How confident are you that traditional security controls can prevent and detect account takeover attacks? Learn why Illusive has been put to the test by more than 140 red teams without fail. Contact Illusive today to learn more about our ITDR solution.

See Illusive's Identity Threat Detection & Response In Action

Learn how Illusive's ITDR solutions can help your security team protect against the #1 attack vector—identity.