Stolen account information continues to pose one of the greatest risks to organisations, as emphasised in the FY23 Risk and Vulnerability Assessments (RVA) report. The analysis conducted by the Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard (USCG) identified that, despite advancements in security technology, valid accounts—whether stolen, default, or improperly managed—continue to be a primary attack vector for cybercriminals.
The RVA findings indicate that 41% of successful cyber-attacks during assessments involved the use of valid accounts, with a staggering 89% success rate in cracking password hashes to access Domain Administrator accounts. These valid accounts were used not only to gain initial access but also to escalate privileges, move laterally through networks, evade detection, and exfiltrate sensitive data. This demonstrates how critical compromised credentials are to the entire lifecycle of a cyber-attack.
Why Stolen Credentials are So Effective
The reason stolen account information is so dangerous lies in the trust systems inherently place in valid credentials. Once a threat actor gains access to an account with administrative or elevated privileges, they are essentially free to move throughout the network undetected, appearing as a legitimate user. This gives them the ability to disable security measures, steal sensitive data, and even maintain persistent access over long periods, as seen with sophisticated actors like Volt Typhoon and UNC5174.
In many cases, organisations are not aware that these accounts have been compromised, allowing attackers to use the same credentials across multiple stages of an attack. The misuse of valid credentials was identified as a critical vulnerability, as threat actors were able to escalate privileges and evade defences simply by exploiting weak password policies or default credentials left unchanged.
The Role of Initial Access Brokers
Compounding the problem is the rise of initial access brokers (IABs) who sell stolen credentials and access to compromised systems on the dark web. This underground economy has made it easier than ever for cybercriminals and nation-state actors to buy their way into organisations’ networks, bypassing traditional hacking methods. According to the report, the financial incentives for IABs are increasing, which means we can expect this trend to continue growing in the coming years.
Addressing the Issue: Prevention is Key
The RVA report emphasises the need for proactive measures to reduce the risks posed by stolen credentials. Key strategies include implementing phishing-resistant multi-factor authentication (MFA), enforcing strong password policies, and regularly sanitising Active Directory (AD). It’s also crucial to ensure proper Role-Based Access Controls (RBAC) are in place, following the principle of least privilege, to limit unnecessary access. Additionally, deploying Privileged Access Management (PAM) helps monitor and control the use of elevated accounts, further reducing the risk of credential misuse.
Organisations should also focus on removing inactive or default accounts and applying granular access controls to minimise the impact of compromised credentials. Revoking unnecessary privileges during regular AD reviews is another essential step in reducing exposure. While no system is entirely immune to attacks, the ongoing success of cybercriminals exploiting stolen credentials highlights the importance of constant vigilance. Security isn’t just about having the right tools—it’s about maintaining strong access controls and staying ahead of evolving threats.
As stolen credentials remain a preferred tool for cyber attackers, organisations must continually strengthen their defences to avoid becoming easy targets.
Secure Your Active Directory with MTI's Expertise
MTI brings unparalleled expertise, having conducted over 120 Active Directory security audits within the NHS in the past 24 months. We’ve successfully completed Active Directory enhancement projects for more than 20 NHS organisations, even amid the challenges of the COVID-19 pandemic.
As a founding member of CREST and active in both CREST and NCSC CHECK security organisations, MTI is recognised for its leadership in cyber security. Our experience includes executing Microsoft Security integration projects with technologies like AOVPN, WDAC, MDE, and MEM, enhancing organisations’ overall security posture.
Don’t wait until a breach happens – Contact us today to schedule an Active Directory review and protect your network from credential-based threats.