Credential Compromise has been a leading attack vector for the last five years. There are a variety of ways that attackers can do this. It could be by guessing passwords, phishing emails, spyware, or even pulling credentials out of memory. To detect and more proactively defend against credential compromise, organizations need to have visibility into identity, behavior and risk as well as the ability to automatically respond or take action when signs of compromise have been detected.
There are three primary areas to focus on when looking to reduce risk of credential compromise. Let’s take a quick look at these areas as well as some examples of how to defend against them:
One of the first places to look is user passwords. It’s important to find out when users are using weak passwords or if there are users who may be using passwords that have been compromised in other breaches. This is important because all of those passwords are now public and in a dictionary that attackers use to try to breach an organization.
If you have the visibility to see these types of things, it becomes easy to force password changes on those particular users. And when we see this in action, we can identify and raise the risk of the users who are using weak passwords or have password problems. It also allows for applying more stringent policies or taking a more aggressive stance when these weakness are seen in the environment.
Another area that is important to look for is signs of reconnaissance. Things like brute force attacks or credential scanning are a couple types of reconnaissance that need to be detected. When these types of activities are seen, being able to take action by raising the risk score on those devices or being able to more aggressively isolate them from other parts of the network or assets may be an important step to take.
Detecting Compromised Credentials
And of course, being able to find signs that credentials have already been compromised is critical. Techniques like Pass the Hash are good indicators. Another inidcator could be seeing strange behavior out of an endpoint -- where it is doing things it doesn't normally do or using strange services that are talking to assets it doesn't normally reach out to.
When this type of behavior is seen, being able to take action and challenge that behavior with a secondary factor of authentication can provide a confirmation if the user is who they say they are. And if they fail at that type of authentication then being able to block or isolate the host would be in order.
These are just a few examples and theory of what can be done to detect and prevent credential compromise. To learn more and see how Preempt can provide greater insights and intelligence for investigations and how to take proactive measures to stop compromise, check out our latest video.