Adaptive Segmentationmicro-segmentation February 19, 2021

WHY ARE WE NOT WORRIED ABOUT CREDENTIAL DUMPING?

Dan Gould,

Why would attackers force their way in when all they need to do is log in? This not-so-rhetorical question is at the heart of how attackers move laterally with stolen credentials – something happening with increasing frequency.

This lateral movement is based on “credential dumping.” How does credential dumping work? These attacks extract (or “dump”) log-in credentials out of a system’s memory, often with tools like Mimikatz, and then use these same credentials to log into another system. If an attacker is in luck, they compromise a system that has past admin logins saved in memory.

We saw it in the SolarWinds attack and in Ryuk ransomware attacks, too. Malwarebytes’ 2021 State of Malware report shows a 173% increase in the use of hacking tools like credential dumping.

Given its prominence we wanted to understand how seriously cybersecurity defenders take this.

Who cares? Not that many of us, apparently.

Would you believe it if I said that people are not overly concerned about credential dumping? In our recent survey, we asked corporations about their cybersecurity measures as they transition back to the office, posing a simple question:

Are you worried about Mimikatz or other credential-dumping tools used to move laterally?

Worried about Mimikatz

36%: Not sure

The survey respondents included mainly IT/network and security practitioners. A “not sure” answer does not always translate to “not worried about,” of course. And surely some respondents in networking were not aware of their organizational efforts to combat credentials dumping. However, some respondents who were not sure are indeed uncertain if their organization is taking appropriate precautions or not.

33%: No, not worried

We see credential dumping as a very common technique by modern attackers, and still, a third of respondents tell us they are not worried. It is worrisome that they are not worried.

31%: Yes, worried

Less than a third of respondents acknowledge that they are worried about Mimikatz. Rightfully so.

Importantly, only 31% of respondents confirmed that they are indeed concerned about Mimikatz and credential dumping. We followed up with those who answered “Yes” to inquire about how they intend to fight credential dumps.

What precautions for Mimikatz or other credential dumping tools has your organization taken?

Nearly half rely on their EDR’s built-in detections for Mimikatz and similar tools, which is certainly helpful. A quarter of respondents look to privileged access management tools for protection against credential dumping, while 38% rely on controls from Microsoft like Credential Guard or Active Directory protected user groups.

Mimikatz precautions

As we transition to a hybrid workforce, we can expect attackers to use credential dumping as a key technique given its effectiveness in “living off the land” and given the fact that defenders are ill-prepared to face such attacks.

How does your organization rank in preparedness for a return to the office? And what can you do to protect your business, whether employees are on or off the campus network? Download a copy of the report for more on our findings and insights: Security Risks 2021: Ransomware and the Return to the Office.

If you’d like more information on credential dumping, please see our blog post, Take me to your domain controller. The MITRE ATT&CK Framework further outlines OS credential dumping here.

Adaptive Segmentationmicro-segmentation
Share this post: