Chief Product Officer of SpyCloud, a leader in operationalizing Cybercrime Analytics (C2A).
In 2022 alone, over 87,000 exposed credentials tied to Fortune 1000 C-level executives were recaptured from the criminal underground, according to SpyCloud’s 2023 Identity Exposure Report. The threat of falling victim to a cyberattack has become an ongoing fear for security leaders across organizations—and for good reason.
Exposed assets, including usernames and passwords, arm cybercriminals with the sensitive data required to infiltrate networks and commit crimes—including fraud, session hijacking, account takeover and ransomware attacks. Although enterprises emphasize more robust security measures, such as additional user authentication (e.g., multifactor authentication and passkeys), criminals continually evolve to develop ways to bypass these measures. One such method includes using stolen active session cookies to commit session hijacking, negating the effectiveness of these traditionally used protections.
To strengthen network defenses and protect customers, companies and security leaders must have a clearer understanding of how criminals use stolen data for gain and how organizations can protect themselves against these threats.
Burned By Cookies
Session cookies have a ubiquitous presence online. Every website and application assigns visitors a cookie or token to identify users accessing a site. This string of characters is stored on the device, making it easier to re-access the site without reentering authentication data.
Although this capability enables personalized and smooth experiences for everyday users, it poses a threat in the wrong hands. Cybercriminals using infostealer malware can exfiltrate cookies—among a plethora of other data types—from infected devices and insert them into anti-detect browsers, allowing them to appear as legitimate users in a process known as session hijacking.
Posing as a legitimate user, criminals can move through the network uninhibited to perpetuate fraud, facilitate a ransomware attack, steal critical company data and more. Because session cookies are used to authenticate a user’s identity, it doesn’t matter if the user logged in via a username and password, a passkey or completed multifactor authentication (MFA) requirements: A session cookie bypasses them all.
What’s more, criminals use infostealer malware that’s hard to detect, relatively cheap to acquire (commonly available online for only a few hundred dollars per month) and routinely successful in siphoning cookies and other fresh, high-quality data. As a result of this low-risk, high-reward method, the popularity of infostealer malware has skyrocketed.
Protect Yourself And Your Business
Cookie theft by infostealers is already very common, with more than 22 billion device and session cookie records stolen by criminals last year, according to SpyCloud research. As criminals are seeing strong success in using these cookies to access accounts and enterprises, this entry point will continue to scale. Having a plan to proactively disrupt criminal efforts is essential for businesses looking to protect their bottom line.
The latest malware is, by design, difficult to detect. Common infostealers are often nonpersistent, exfiltrating sensitive data in seconds and leaving little to no evidence of infection on the victim’s device.
With this sort of stealthy threat, employee education is crucial. Employees recognizing phishing attempts, exercising caution toward potentially malicious email attachments, websites and downloads, not sharing passwords and minimizing using unmanaged or undermanaged devices to access corporate systems and networks can decrease overall malware exposure.
Additionally, disabling “remember me” options on platform login pages and frequently deleting cookies stored in a browser reduces the risk of session hijacking, ensuring that criminals don’t obtain access to active session cookies, even in the case of malware infection.
If malware does impact employee devices—managed or personal with access to systems—businesses should employ a comprehensive post-infection remediation (PIR) strategy to proactively address the risk of stolen but still active data being used for follow-on cyberattacks. The PIR approach involves a series of steps that augment existing incident response protocols to effectively remediate infostealer-impacted devices, applications and users. Because malware-siphoned data can remain operational for months after being exfiltrated, clearing the infected device is only the first step for businesses but not the cure-all.
Using darknet data that has been ingested, curated and analyzed, security teams can get a holistic view of the compromised devices and data threatening their business. With this insight, teams can reset the exposed application information, invalidate open session cookies and patch vulnerabilities left behind. This approach mitigates damage to organizations by addressing the threat of stolen data before it spirals into a full-on security incident.
Using a PIR strategy, leaders and executives can create a successful cyber incident response plan that allows security teams to proactively reduce the threat posed by stolen session cookies and other exposed authentication data. This strategy not only decreases the enterprise’s attack surface but also protects the company from potential brand reputation and financial harm.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here