We recently observed another near-compromise / near-breach event.
At a time when the focus has been on adversaries that develop increasingly complex and sophisticated attacks, tried and true techniques such as compromised credentials continue to be amongst the most potent weapons. According to Verizon’s annual DBIR Report, 80 percent of confirmed data breaches involved weak, default or stolen passwords; or brute force credential compromises.
The risk will vary depending on the level of access it provides. Privileged credentials (e.g. administrative accounts) give access to systems and devices, sensitive data or unfettered rights to move within the infrastructure. Not to be forgotten, are service accounts like firstname.lastname@example.org that often deliver the deepest level of access into a company. Service accounts are used by machines rather than humans, and therefore cannot easily leverage the added security of one-time passwords and MFA.
We observe these often. And while they differ in their own way, they follow a similar pattern (directionally following an attack framework of choice):
- Reconnaissance using publicly available information or inadvertently exposed information. At a minimum, this gives insights into the accounts to target or visibility into access credentials that have been inadvertently disclosed. There are an innumerable variety of ways that credentials can be compromised; ranging from public information on social media, websites, or even legal documents.
- Cracking the credentials and accessing resources, hosts or servers.
- Movement to accounts or hosts of privilege to eventually get to its target. Our close collaboration partner Crowdstrike, has stated that it takes an intruder one hour and 58 minutes to jump from the machine that’s initially compromised and begin moving laterally through your network.
While you want to secure all three fronts, the likelihood of preventing every instance of credential abuse is foundationally difficult: you must be right every time and the attacker only needs to be right once. Most security teams are hard pressed to confirm, let alone respond to compromises before movement occurs.
We observe and track activity on all fronts. In particular, our platform is in the unique position to see attacks after credential compromises have occurred but before the impact of a breach. That position delivers direct visibility into initial access to apps, systems and data; especially when they trigger anomalous, unexpected behaviors that are indicative of malicious activities.
In the last month alone, the following is a small sample of observed behaviors:
- Unusual behaviors during login, including unexpected geographic locations and brute force attempts
- Second factors triggered because of known attacker behaviors
- Sensitive data upload, potentially an attempt to “poison the well” with a malware-infected document that is actively shared.
- Sensitive data download, as an early indicator of data loss and exfiltration behaviors.
- Identification of malware-infected files
Having observed thousands of these incidents, it has informed the controls, usability design and active integration with partners like Crowdstrike across the Bitglass platform. We invite you to share your use cases with us or have a short conversation about the behaviors we actively track.
To learn how your organization can gain full visibility and control over the wide range of applications that employees use to perform their work duties, download “Bitglass for Securing Common Apps” below.