In the realm of cybersecurity, usernames and passwords hold paramount importance, and it's likely they will continue to do so despite constant industry efforts pushing us towards more sophisticated authentication methods.
Quite often, the emphasis tends to fall primarily on passwords, overshadowing the critical role usernames play.
While it is true that a username isn't "protected" in the conventional sense, it is, nonetheless, a vital component of any security framework.
In the context of the AAA (Authentication, Authorization, and Accounting) model, the username is recognized as the essential element of Identification.
Without proper identification, a correct password, in isolation, has limited practical use.
But why the focus on this seemingly mundane process?
The answer lies in the very essence of the AAA model. Absent a correct pairing of identification (username) and password, the process of Authentication is fundamentally flawed. Monitoring unusual authentication activities is a crucial aspect of malware detection both within and beyond the boundaries of an organization.
In today's interconnected world, automated scanning systems on the internet are relentlessly probing for vulnerabilities to exploit, aiming to inject malware into the system.
The invaluable data I gather from my network of honeypots, strategically placed in various locations around the globe, aids in this relentless pursuit of cyber threat detection and prevention.
Those helpful data form my honeypots operated throughout different places all over the world.
As evidenced from my findings, bots are often not overly sophisticated in their relentless pursuit to identify and exploit easy targets. Once they pinpoint a vulnerability, they act swiftly, deploying malware and seeking places with Read, Write, Execute (RWX) permissions to download additional malicious code. They typically utilize standard operating system tools like curl or wget for this purpose.
So, how can we leverage this knowledge to strengthen our defenses?
Change the username of built-in accounts: Built-in or default account names are the first point of attack for most bots. Changing these can enhance security.
If changing the username isn't possible, consider disabling the built-in account and create a new one with a non-obvious name: This acts as an additional layer of security, making it harder for bots to guess the correct credentials.
Generate unique usernames for each computer, system, or device: This can be accomplished with a non-obvious name generator, making it challenging for bots to predict account names.
Implement a robust, non-obvious company naming convention: Make it tough to enumerate and avoid tying it directly to any specific employee's details.
Leverage automatic password management solutions like LAPS or CyberArk: These tools can significantly enhance the security of your passwords, making them harder to crack.
Utilize Microsoft MSA or GMSA strategy for technical accounts: This approach provides additional security for technical accounts in your organization.
Create fake "decoy accounts" and closely monitor any activity: Configure these accounts to appear vulnerable to password guessing or Kerberoasting attacks. Do remember to change their primary group membership. Create an empty Active Directory (AD) group, one with no access to anything. It should blend in with your other AD groups. This step is crucial because, by default, the primary group is the Domain Users AD group, and wherever Domain User or Everyone is present on the Access Control List (ACL), the fake account will also appear to have access.
Usernames might be as secret as a highway billboard, but applying the above steps can turn an attacker's mission into a high-stakes cyber scavenger hunt. The resultant noise should set off alarms in any decent SIEM solution. Yes, it may frazzle your IT department a bit, but remember, cybersecurity isn't a popularity contest—it's the guardian against a downpour of digital threats.