When Mark Zuckerberg’s passwords were hacked from his twitter and other accounts, that news got everyone’s attention . Online articles suggest that hackers got his password from the 2012 LinkedIn breach where 117 million accounts compromised. Mr Zuckerberg reused his passwords on other services, like Twitter, which got compromised.
This incident along with many other similar hacks proves that cyber-attacks are not isolated events, they are like a giant wave with long-term effects that can set off a chain of events.
Once an attacker acquires the username and password of an account, it is almost impossible to identify a real user vs attacker. Attackers will use what is called Password Brute Force where they try as many passwords or passphrases with the hope of eventually guessing. They do this for couple of reasons:
1- To try to find the right combination of as many usernames and passwords as possible for lateral movement in the network
2 - To perform a Denial of Service (DOS) of target network by locking out legitimate users
So, what can an enterprise do to be able to detect credential compromise through a Password Brute Force attack?
Understanding an employee’s behavior in terms of what their normal patterns are (location, regular server access, time of day, etc.) vs what is out of the norm is very important. User and Entity Behavior Analytics (UEBA) technology can learn and monitor user behavior 24/7. It is useful for security teams looking to identify the security holes that cyber criminals use to enter into the network as well as moving laterally.
If an attacker manages to get a compromised password and tries to gain access into a user’s account, UEBA could detect that there is unusual access, because the attacker doesn’t know what servers and machines the user typically accesses on a day-to-day basis. This can trigger an alert with security teams.
The challenge can be that some basic behavior analytics tools can become security team’s nightmare if they are not smart enough to figure out activities from a legitimate user vs a hacker. A very common scenario is when legitimate users enter the wrong password (by fat fingering) or simply not updating the password on some of their devices. If your solution isn’t smart enough to identify legitimate users, it could seem like a Password Brute Force attack and result in generating a ton of false positives.
It is important that if you are using UEBA that it be intelligent enough to understand a user’s baseline profile and look for multiple indicators that identify if the endpoint is used by a legitimate user. The indicators could be: how often a user uses an endpoint, the time of day when endpoint is used, and so on. If the indicators don’t match, (for example, there is a wrong password attempt from an endpoint that is not associated with a user) then it is more likely that it is malicious activity from an attacker that needs to be followed up by a security analyst.
But what about Prevention?
Now being able to detect the malicious activity vs the legitimate activity is great but if you are only alerting on it and waiting for manual follow up, that threat can morph into a big problem. By setting policies and leveraging a Behavioral Firewall with advanced UEBA, you can automatically respond in real-time and prevent the threat by blocking access and alerting the security team. To learn more about how Preempt’s Behavioral Firewall can help with preventing threats like Password Brute Force Attacks and Password Scanning, you can read more here.Being able to distinguish between legitimate users and malicious password brute force attacks using advanced UEBA provides two key benefits. First, attackers cannot use this technique to run a DoS attack by locking users out of their accounts. Their requests will be stopped from reaching the AD domain controller while allowing legitimate users to normally continue business activity. And secondly, security analysts will be able to focus on only the malicious brute force attacks and not on innocuous user password failure attempts.