Cyber Resilient Architecture: Leveraging Cyber Threat Intelligence to Combat Credential Theft leading to Insider Threats

10 min readSep 25, 2024

Hi all! It’s been a while since I’ve shared technical insights on Medium, and today’s deep dive into Cyber Threat Intelligence (CTI) from a technical perspective is based on a recent, critical experience in my organization.

In my final week at work, a rumor of breached credentials triggered a full-scale forensic investigation. Leveraging Google Cloud logs alone, we uncovered a staggering reality: approximately ~30.000 credentials had been compromised. This discovery led us to develop a robust approach for monitoring potential credential theft by malware stealers.

Our action plan is straightforward yet effective: upon confirming a user’s computer is infected with a malware stealer (based on the metrics we setup), we immediately lock the affected credentials. The user must then clean their PC before regaining access, ensuring our network’s continued security.

This real-world application of CTI principles not only resolved an immediate threat but also enhanced our overall security posture, demonstrating the practical value of the techniques discussed in this article.

Introduction to Cyber Threat Intelligence (CTI)

In today’s rapidly evolving digital landscape, organizations face an ever-increasing array of cybersecurity challenges. Among these, insider threats and credential theft have emerged as particularly insidious risks. To effectively combat these threats, enterprises are turning to Cyber Threat Intelligence (CTI) as a crucial component of their security strategy.

Cyber Threat Intelligence refers to the collection, analysis, and dissemination of information about current and potential cyber threats. This intelligence enables organizations to make informed decisions about their security posture and respond proactively to emerging risks. CTI goes beyond simple data collection; it involves the synthesis of raw data into actionable insights that can guide security operations and strategic planning.

Key aspects of CTI include:

Threat Identification: Recognizing potential threats before they materialize into actual attacks.
Risk Assessment: Evaluating the potential impact of identified threats on the organization.
Trend Analysis: Identifying patterns in cyber attack methodologies and targets.
Proactive Defense: Implementing preventative measures based on intelligence insights.

In the context of insider threats and credential theft, CTI plays a pivotal role. It helps organizations:

Detect anomalous behavior that may indicate compromised credentials
Identify patterns of access that could suggest insider activity
Understand the latest techniques used by attackers to steal and exploit credentials
Implement targeted security measures to protect against specific, known threats

By integrating CTI into their cybersecurity framework, organizations can shift from a reactive to a proactive security stance. This approach is particularly valuable in addressing insider threats, where traditional perimeter-based security measures may be ineffective.

The Growing Threat of Insider Attacks

Insider threats represent a unique and increasingly prevalent challenge. Unlike external attacks, insider threats originate from within the organization, often exploiting legitimate access to systems and data. This section explores the nature of insider threats, their growing impact, and why they pose such a significant risk to organizations.

Defining Insider Threats

Insider threats can be categorized into three main types:

Malicious Insiders: Employees or contractors who intentionally misuse their access to harm the organization, often motivated by financial gain, revenge, or ideology.
Negligent Insiders: Well-meaning individuals who unintentionally cause security breaches through carelessness, lack of awareness, or failure to follow security protocols.
Compromised Insiders: Legitimate users whose credentials have been stolen or whose systems have been compromised, allowing attackers to operate under the guise of a trusted insider.

The Increasing Prevalence of Insider Attacks

Recent years have seen a significant uptick in insider-related incidents:

According to the 2021 Ponemon Cost of Insider Threats Global Report, the number of insider incidents has increased by 47% since 2018.
The average cost of insider threats has risen to $11.45 million per incident, a 31% increase from 2018.
Credential theft, a key component of compromised insider attacks, has become the most expensive and time-consuming to resolve.

Why Insider Threats Are Particularly Dangerous

Several factors contribute to the heightened risk posed by insider threats:

Trusted Access: Insiders often have legitimate access to sensitive systems and data, making their actions harder to distinguish from normal operations.
Knowledge of Systems: Insiders understand the organization’s infrastructure, security measures, and valuable assets, allowing them to target critical resources more effectively.
Prolonged Dwell Time: Insider attacks often go undetected for extended periods, increasing potential damage.
Difficulty in Detection: Traditional security measures focused on external threats may not be effective against insider activities.
Psychological Factors: The betrayal of trust involved in insider attacks can have severe impacts on organizational morale and reputation.

Authentication and Its Impact on Security

The critical role of authentication in security cannot be overstated:

CVSS Scoring: In the Common Vulnerability Scoring System (CVSS), authentication significantly affects the overall score. Vulnerabilities that can be exploited without authentication are generally considered more severe, highlighting the importance of robust authentication mechanisms.
Relaxed Security Post-Authentication: Many organizations implement more relaxed security measures for authenticated users. For instance:
Web Application Firewalls (WAF) often have less stringent rules for authenticated sessions.
Access controls may be less granular once a user is authenticated, potentially allowing for greater lateral movement.

Implications for Insider Threats: This relaxation of security post-authentication underscores the potential damage that can be done by compromised insider accounts. Once an attacker gains access to valid credentials, they may face fewer obstacles in navigating the system and accessing sensitive data.

The Role of CTI in Combating Insider Threats

Cyber Threat Intelligence plays a crucial role in addressing the insider threat challenge:

Behavioral Analysis: CTI can help establish baselines of normal user behavior, making it easier to detect anomalies that may indicate insider activity or compromised credentials.
Threat Profiling: By understanding common insider threat patterns, organizations can implement targeted monitoring and prevention strategies, even for authenticated users.
Contextual Awareness: CTI provides the context needed to distinguish between legitimate activities and potential threats, reducing false positives and helping to identify misuse of authenticated access.
Proactive Mitigation: Insights from CTI can guide the implementation of security controls and policies specifically designed to mitigate insider risks, including more nuanced security measures for authenticated users.

Credential Theft as an Initial Attack Vector

In the landscape of cyber threats, credential theft has emerged as a prevalent and particularly dangerous initial attack vector. This section explores the concept of credential theft, its role in broader attack strategies, and the rising threat of stealer malware.

Credentials stuffing (https://www.dashlane.com/blog/what-credential-stuffing-is)

Understanding Credential Theft

Credential theft refers to the unauthorized acquisition of user authentication information, typically including usernames and passwords. This can occur through various methods:

Phishing attacks
Malware infections
Social engineering
Brute force attacks
Exploitation of weak or reused passwords

Once obtained, these stolen credentials can serve as a foothold for attackers to gain initial access to an organization’s systems.

The Role of Stolen Credentials in Attack Chains

Stolen credentials often serve as the first step in more complex attack chains:

Initial Access: Attackers use stolen credentials to log into systems legitimately, bypassing perimeter defenses.
Privilege Escalation: Once inside, attackers may leverage the initial access to obtain higher-level privileges.
Lateral Movement: With a foothold established, attackers can move laterally within the network, potentially accessing more sensitive areas.
Persistence: Stolen credentials can be used to maintain long-term access, even if the initial attack vector is discovered and mitigated.

The Rise of Stealer Malware

Stealer malware has become an increasingly popular tool for credential theft:

Definition: Stealer malware is designed specifically to harvest credentials and other sensitive information from infected systems.
Functionality: Modern stealers can extract credentials from: Web browsers, Email clients, FTP clients and VPN configurations
Automation: Stealer malware often automates the process of extracting and exfiltrating credentials, making large-scale theft more feasible.
Dark Web Economy: Stolen credentials are frequently sold on dark web marketplaces, creating a thriving economy around credential theft.

Challenges in Detecting Credential Theft

Several factors make credential theft particularly challenging to detect:

Legitimate-Looking Access: Since stolen credentials are valid, their use often appears legitimate to security systems.
Varied Attack Surfaces: Credentials can be stolen from numerous points — endpoints, network traffic, cloud services — requiring comprehensive monitoring.

Understanding Stealer Malware HTTPS Workarounds: Pattern Varieties and Exfiltration

In the landscape of cyber threats, stealer malware’s represent a critical area of focus for cybersecurity professionals. Unlike other common attack vectors such as phishing, social engineering, or password reuse — which heavily depend on user awareness and behavior — these malware stealer are primarily technical in nature.
This makes them particularly appealing targets for mitigation efforts. By understanding and addressing how they steal creds from our user, we can implement technical controls and monitoring systems that don’t rely on end-user vigilance.

This approach allows us to create more robust, consistent, and manageable defense mechanisms. Moreover, the patterns left by these workarounds are often visible in network logs and traffic analysis, providing concrete data points for detection and response.

The HTTPS POST Challenge for Stealers

Initially, it’s important to understand why HTTPS POST requests pose a challenge for stealer malware:

HTTPS encrypts the entire communication, including the request body where POST data is sent.
Stealer malware, even if it has infected the user’s machine, cannot directly read the encrypted HTTPS traffic.
POST requests typically contain sensitive data like login credentials in the encrypted body.

The Stealer’s Workaround

To overcome this challenge, stealer malware employs a clever workaround:

Interception at the Source:

The malware hooks into the browser or application processes on the infected machine.
It intercepts the data before it’s encrypted and sent over HTTPS.

Replication as GET Request:

After intercepting the POST data, the malware constructs a GET request that includes the stolen information.
The format varies depending on the specific stealer malware.

Exfiltration:

This GET request is then used as a method to exfiltrate the stolen credentials from the victim’s machine.

Variety of Stealer Patterns

Different stealer malware may use various patterns to encode stolen credentials in URLs. Some common patterns include:

Colon separation: https://example.com/action:username:password
Hash separation: https://example.com/action#username#password
Custom parameter encoding: https://example.com/action?data=username&key=password
Path-based encoding: https://example.com/action/username/password
Mixed approaches: https://example.com/action:username#password

Additionally, some stealers might:

Add random or decoy URL parameters
Use base64 or other encoding for the credentials
Implement custom obfuscation techniques

Exfiltration Process

The GET request serves a dual purpose:

Data Formatting: It structures the stolen data in a way that’s easy for the attacker to parse.
Exfiltration Method: It provides a means to send the data out from the infected machine.

Exfiltration typically occurs through one of these methods:

Direct connection to attacker’s server (disguised as a legitimate web request)
Sending to a compromised legitimate website acting as a drop zone
Utilizing a series of redirects to obscure the final destination

The use of GET requests for exfiltration is advantageous because:

It mimics normal web traffic, making it harder to detect
It can bypass firewalls that might block other forms of outbound connections
The data is immediately available in server logs, requiring no further processing by the attacker

GCP Cloud Logging Query for Stealer Malware Detection

To effectively detect the various URL patterns used by stealer malware, we need a more comprehensive GCP Cloud Logging query. The following query is designed to catch the different encoding methods we’ve observed.

resource.type="http_load_balancer"
httpRequest.requestMethod="GET"
(
  # Colon separation
  httpRequest.requestUrl=~"/[^/]+:[^/]+:[^/]+"
  OR
  # Hash separation
  httpRequest.requestUrl=~"/[^/]+#[^/]+#[^/]+"
  OR
  # Custom parameter encoding
  httpRequest.requestUrl=~"[?&](data|username)=[^&]+.*[?&](key|password)=[^&]+"
  OR
  # Path-based encoding
  httpRequest.requestUrl=~"/[^/]+/[^/]+/[^/]+$"
  OR
  # Mixed approaches (colon and hash)
  httpRequest.requestUrl=~"/[^/]+:[^/#]+#[^/]+"
)
NOT httpRequest.requestUrl=~"^/static/|^/assets/|^/images/"

Let’s break down this query:

We’re focusing on GET requests to the load balancer, as this is typical for stealer malware.
The query uses regular expressions to match the different URL patterns:

Colon separation: Looks for three segments separated by colons.
Hash separation: Looks for three segments separated by hash symbols.
Custom parameter encoding: Checks for ‘data’ or ‘username’ parameters followed by ‘key’ or ‘password’ parameters.
Path-based encoding: Looks for URLs with exactly three path segments.
Mixed approaches: Checks for a combination of colon and hash separators.

This query casts a wide net to catch various stealer malware URL patterns while attempting to minimize false positives. However, it’s important to note that this query might still catch some legitimate traffic, especially in the path-based encoding case. You may need to refine it based on your specific application’s URL structure.

To use this query effectively:

Implement it as a log-based metric in GCP Cloud Logging.
Set up alerts based on the metric, with thresholds appropriate to your traffic patterns.
Regularly review and refine the query based on observed results and any new stealer malware patterns that emerge.

Remember, while this query significantly improves our detection capabilities, it’s just one part of a comprehensive security strategy. Combine it with other monitoring techniques, regular security audits, and user education for the best protection against stealer malware.

Staying Ahead in the Battle Against Stealer Malware

As we’ve explored throughout this article, stealer malware represents a significant and evolving threat in the cybersecurity landscape. By focusing on the technical aspects of how these malware operate, particularly their HTTPS workarounds, we’ve identified a crucial area where proactive, systematic defenses can be implemented.

The ability of stealer malware to intercept data before encryption and exfiltrate it through manipulated GET requests underscores the importance of comprehensive monitoring and detection strategies. By leveraging tools like GCP Cloud Logging and implementing custom queries tailored to identify suspicious URL patterns, organizations can significantly enhance their ability to detect and respond to these threats.