Verizon's 2022 Data Breach Investigations Report found that credential theft was a factor in more than 50% of security incidents and that 82% of breaches involved a human element. Threat modelling is a great place to start when protecting against credential theft, but other controls are needed too. If an attacker manages to get inside your systems despite everything, elevation of privilege exploits can make the damage far worse.
Layers of defence
Defence in Depth, or layered controls, means putting multiple controls in place to cover a single threat. It is a good approach, though like all good things it can be taken too far.
High risks generally need more controls to adequately reduce the risk. Lower risks need fewer. You do not want to spend all your resources on already-low risks when that effort could be reducing serious ones.
Elevation of privilege threats tend to be higher impact, so they result in higher overall risk. Applying multiple controls to these threats specifically is a sound investment.
Credential theft is a common example. These threats have many possible mitigations, which makes them well suited to a Defence in Depth approach.
For passwords, the first line of defence is strength. A minimum of 16 characters with symbols and numbers reduces the chance of a successful brute-force attack. Passphrases are another good option. Three or four unrelated words that mean something to you are easy to remember and difficult to guess. You should also limit password reuse across systems, encourage use of a password manager with strong encryption standards, and ensure passwords are encrypted at rest and in transit.
Multi-factor authentication
MFA is a large topic, but it essentially centres on a TOTP (time-based one-time password). You input a secret TOTP code into an authenticator app such as Google Authenticator or Authy, usually by scanning a QR code. The app generates a 6-digit code every 30 seconds. That code is your second factor when you log in.
An older alternative is SMS codes. These are still in use today but should not be used for new systems. SMS was never designed as a secure communication medium and has well-documented weaknesses around interception.
Banking systems sometimes use voice recognition, where you say a phrase and the audio is analysed to confirm it is you. Biometric scanners such as fingerprint and retina readers are another form, now common on smartphones.
Some organisations use a second passphrase, asking users to enter a subset of characters from it rather than the full phrase. Physical security keys such as the Yubikey present a hardware secret automatically on authentication, similar in concept to an office keycard.
There is nothing stopping you from using more than two factors. More sensitive systems may use three or more, such as a retina scan, a TOTP code and a password combined.
The principle of least privilege
Other mitigations focus on containing the damage after an attack has already succeeded. The key principle here is least privilege: users are granted only the minimum access to data, resources and applications needed to do their job.
Early Windows installations defaulted to admin privileges, which meant that a stolen password could put the entire machine at risk. That is the wrong default.
Where you use a content management system, grant users only the access their role needs. Someone uploading blog posts has no reason to have admin access. If they do not need it, do not give it.
Monitoring helps too. Alerting when a login looks suspicious is difficult in practice, but a useful starting point is notifying users when a login comes from an unexpected geography.
Privileged access management (PAM) takes this further. A user requests elevated access when they need it, that request is approved, and the approval is audited. This adds some friction but significantly reduces the damage an attacker can do with stolen credentials. The audit trail also acts as a deterrent against internal misuse.
Starting from a collaborative threat modelling session puts you in a good position to identify where credential theft and other elevation of privilege threats can occur. From there you can spot where Defence in Depth makes the most sense, and focus your effort where it drives the biggest reduction in business risk.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →