Skip to main content

Credential Theft Week 3

Continuing our J2 SOC Manager’s series on credential theft, this week we touch on some things you should be doing to protect yourself. We hope that you have found the first few pieces helpful and please feel free to get in contact us if you have questions, comments or want to further clarity. After our previous pieces explored several methods that the cyber criminals will use to steal your credentials, let’s shift our focus on some of the way you can protect you and your business.

How can you protect yourself?

Many security professionals will say that Microsoft is unsafe by default. You need to ensure that all the security hardening is in place across your environment. It is true that understanding and implementing a secure configuration requires a little work. J2 Software performs a detailed cyber risk assessment at a fraction of the price of a penetration test. You will not simply get a list of CVE numbers; we will give actual recommendations to prevent commonly used attacks. We don’t simply run automated scans and regurgitate a template report; we use a combination of tools and hands-on-keyboard tests to simulate real attacks. Here are some starters.

From the network side:

  • Disable all legacy protocols and APIs. Stop unnecessary chatter between workstations.
  • Sign your traffic. Traffic signing (not enabled by default, thanks Microsoft) means that man in the middle interceptions of network traffic become much more difficult.
  • Use modern authentication protocols. Windows devices are not secure by default.

On the local machine:

  • Stop using weak passwords and stop using the same local administrator credentials for all devices, if you use the same username make sure the passwords are random for each device. This can be achieved by deploying LAPS.
  • Protect your LSASS process by implementing credential guardian and implement simple LSA registry protections.
  • Block network logon to user devices by any high-level administrator.
  • Disable internet access for any administrative credential to stop administrators downloading malware.
  • Don’t let your users have administrator privileges, force them to escalate for privilege using a second account.
  • Run a monthly credential analysis to produce a weak password report.
  • Use enhanced RDP (Network Level Authentication and etc).
  • Use 2 factor solutions inside Active Directory.
  • Reduce common Active Directory misconfigurations which may facilitate credential theft

Protect your data:

We see IT and business operational data available to all users in a single network segment. Rather isolate your data tiers. If a standard domain user is breached, they should never have access to all your data. Data exploitation is a primary goal of ransomware operators. We test directory structures as part of our once-off or monthly assessment packages.

Check your procedures:

  • Use the protect users’ group and remove delegation rights from privileged accounts 
  • Reboot your devices regularly to remove cached credentials. If you never restart your device, there may be dozens of sessions containing retrievable passwords. 
  • Monitor network activity and event logs.
  • Implement an insider risk program to increase visibility and drive anomaly detection.

An insider threat assessment is often more affordable than a full penetration test. It will give you a good indicator of attack pathways inside your network. If you’re a business owner who believes your IT staff have the security basics covered, then verify this is the case. We covered a few common attack pathways in this series, but it’s by no means comprehensive. There are numerous windows misconfigurations that make credential theft trivial. Within Active Directory there are numerous misconfigurations that make credential theft even more trivial. We showed that passwords and hashes are a prioritised target for threat actors and demonstrated a few ways in which they may be better protected. Preparing the battlefield may give you a significant advantage, even before you are aware that the fighting has begun. Keep checking back for new pieces in our CSC Blog or get in touch with us.

J2 Cyber Security Centre


  • Hits: 755