Credential Harvesting
Dictionary Term
Table of Contents | ||||
---|---|---|---|---|
|
- Compile bibliography
Alternative Forms
Harvesting
Definitions
Definition 1
Credential harvesting designates is a class of attacks cyberattacks characterized by the collection of identity attributes and credentials with the objective of compromising their linked identities.
Credential harvesting may be subdivided into two subclasses:
Credential harvesting in the reconnaissance phase of an attack where identity attributes such as email addresses or login ids are guessed or collected from available data sources. Often, the confidentiality of these identity attributes cannot be effectively assured but they are not sufficient to exploit the identities.
Credential harvesting in preparation for the exploitation phase of an attack where identity attributes or credentials such as passwords or session tokens are collected to enable the compromise of identities.
Example identity attributes or credentials that may be collected as part of credential harvesting are:
Certificates
collecting information on available authentication mechanisms (e.g., identity attributes, certificates, credentials, and sessions) to leverage this information to compromise information security domains and/or abuse identities.
Credential harvesting opportunistically seeks to find exploitable authentication solutions. It is distinct from attacks that target specific identities.
Credential harvesting may be used during various attack stages, including reconnaissance, initial exploitation, privilege escalation, and lateral movement.④
Information collected by credential harvesting pertains to authentication-related information types that may be leveraged for exploitation, such as identity attributes, credentials, or session information. This comprises:
Example classes of actors who may engage in credential harvesting:
Bots
Humans
Worms (ex: Nimba)
Example data sources used to harvest credentials:
Configuration files (e.g. plaintext passwords)
ID
SSH key
The data sources from where credential information may be harvested vary. Typical ones are:
Address books②
Browser history②
Computer memory (e.g., cached credentials, login ids, plaintext passwords, session tokens)④
Configuration files
Databases
Documents (e.g., email addresses, login ids, passwords)
Email or application services that allow guessing attributes/dictionary attacks
In-memory data Identity repositories (e.g. login ids, plaintext passwords, session tokensLDAP, Windows Active Directory)
People (through social engineering)
Phishing or trojan websites (e.g., login ids, passwords, second authentication factor)③
Reusable identity attributes or credentials obtained from previous data breaches
Web cookies③
Web query parameters③
Web sites, social networks, and forums (e.g., email addresses via web scraping)①
Windows registry
Among these, some information may be publicly or easily available (e.g., email addresses that may be collected by web scraping on public websites or forums while others may be protected and harder to reach, e.g., cached credentials stored in computer memory.
The collected information may be insufficient for exploitation and may need to be complemented with other techniques (e.g., executing a dictionary attack on harvested password hashes).
Credential harvesting may be designated by the identity attribute or credential that is being harvested. Password harvesting specifically focuses on passwords. Email harvesting is a specialized and limited form of credential harvesting frequently used for phishing purposes.①
Information may be collected:
by accessing it directly (e.g., when it is publicly or easily available (e.g., email addresses collected by web scraping① or scanning configuration files),
by hacking it (e.g., accessing live memory to read cached credentials)
by guessing it (e.g., email addresses or login ids)⑧
Threat actors engaging in credential harvesting may vary. They include:
Example countermeasures that may be effective against credential harvesting compriseinclude:
Canary identitiesAccess controls / need-to-know
Disabling credential caching
Digital Rights Management (DRM)
Encryption
Hardware Security Module (HSM)
Multi-Factor Authentication (MFA)
Not reusing passwords①
Password Managers
Privileged Access Management (PAM)
Security awareness programs
System hardening
Sample Sentences
Eve, the hacker, tricked Bob, the user, by cleverly forging a spearphishing email. When Bob clicked on that link, he did not notice anything unusual but his laptop got compromised. Once in, Eve started to harvest credentials with the intention to make a lateral movement within Bob’s corporate network. Luckily for her, she quickly found the cached credentials of Alice, an engineer from the IT support team who previously logged in on Bob’s laptop to help him with a technical issue.
Conceptual Diagram
Related Terms
Credential
Identity Attribute
Password
Worm
Quotes
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Bibliography
Albanese and Sonnenreich, 2004Anchor test-2021 test-2021albanese-and-sonnenreich-2004 albanese-and-sonnenreich-2004
Anderson, 2020Anchor testanderson-20212020test-2021 anderson-2020
Benantar, 2006Anchor testbenantar-20212006test-2021 benantar-2006
Bradley, 2019Anchor testbradley-20212019test-2021 bradley-2019
Brotherston and Berlin, 2017Anchor test-2021 test-2021brotherston-and-berlin-2017 brotherston-and-berlin-2017
CERT/CC, CA-2001-26, 2001Anchor test-2021 test-2021cert-cc-ca-2001-26-2001 cert-cc-ca-2001-26-2001
Gajek and Sadeghi, 2008Anchor test-2021 test-2021gajek-and-sadeghi-2008 gajek-and-sadeghi-2008
Nemeth et al., 2011Anchor test-2021 test-2021nemeth-et-al-2011 nemeth-et-al-2011
See Also
Filter by label (Content by label) | ||||||
---|---|---|---|---|---|---|
|