Credential dumping is a technique used by cybercriminals to gain access to a network. They enter the workstation through phishing and controls through the typical way the admin uses and monitors the network to find exposed credentials.
The cybercriminals find out organization vulnerabilities which lead them to credential dumping. Given are few ways to identify the vulnerabilities to avoid credential dumping.
Limit credential reuse
Firms should review their network managing techniques. You need to check the user password routinely against a database of breached passwords. If the password appears in the breached password list and is used in your network keeps the network vulnerable to cyberattacks. There is a various database of the password used in breaches available online, you can compare your password with them to avoid credential dumping.
Manage local administrator passwords
Firms should manage the local administrator passwords as they should not be used across the network. They should deploy the local administrator password solutions. An additional module should be used in the web app which provides a simple web-based and mobile-friendly interface for accessing local admin passwords.
Once the cybercriminals get access to a network they harvest the left-behind hash value of the local administrator password Attackers and perform lateral movements throughout the network.
Review and audit use of NTLM
Cybercriminals can get access to your network through a new technology LAN Manager (NTLM). Relying NTLM authentication in combination with any communication protocol keeps your network vulnerable to cyberattacks. To avoid credential dumping firms should review and audit the use of NTLM.
Manage the access control list for “Replicating Directory Changes”
Cybercriminals use different accounts in your domain to get access to the network. They may misuse Microsoft exchange permission groups to gain access to the network. Firms need to monitor changes to security groups and access control lists. Auditing and monitoring for a change in ACLs will help to avoid credential dumping.
Monitor for unexpected processes interacting with Isass.exe
One of the best ways to avoid credential dumping is by monitoring the unexpected spikes in the lsass.exe process. Denial of service and malicious traffic can hide in the lsass.exe process as the domain controller use it as a normal process of the transaction. Firms should run the active directory data collector on their domain controllers and base-line to monitor the normal process in the network.