In the hustle and bustle of our modern world, we can all get easily lost in the noise. One kind of noise is most frustrating for security teams: the noise of security incidents. With more and more data feeds into your security analytics products, it seems like we are creating more problems for ourselves with the all of the alerts and not enough manpower.
Security professionals often feel they don’t have enough time to keep up with modern threats. In fact, Crowdstrike researchers have found that top threat actors can go in and out of networks in a matter of minutes. Despite other similar security research reports listing all the ways threat actors can breach a network, they rarely offer a viable solution to combat these risks and often just resign us all to a “we can only do our best” mentality.
I disagree. While I feel that “doing our best” is sufficient for an elementary school project, it’s not the right mentality for an enterprise security team. We as security professionals should strive to be excellent. In order to get there, let’s review some common attack patterns and discuss the best ways to disrupt an attacker’s plan.
According to haveIbeenpwned.com, close to 8 billion accounts have been compromised. The site provides a tool to see if any of your passwords have been compromised and are available on the dark-net. Once passwords are compromised, they are easily exposed to bad actors who can use them for brute force attacks and credential stuffing.
People often think that state-sponsored attacks from groups like Lazarus (North Korea), Fancy Bear (Russia) or menuPass (China) only target public federal organizations in Western nations like the U.S. This is simply not the case. In fact, attacks on large financial and retail institutions have increasingly been state-sponsored attacks hoping to create chaos more than just theft. These attacks largely come from U.S.-sanctioned states such as Iran, Russia and North Korea, as these hacking groups have come to realize that attacking private organizations can achieve the same goals as attacking public institutions.
In the past year, we have seen numerous publicly traded corporations (Marriott and T-Mobile), airlines (Cathay Pacific and Delta), and tech companies (Facebook and Google+) all breached because of some type of insider threat or compromised credentials. So, it’s no surprise that insider threats and preventing credential compromise are growing concerns for organizations.
Stolen or compromised credentials pose well-known risks to organizations and their employees. And as hackers and other malicious actors become more advanced and sophisticated in their techniques, the global threat is increasing. At a recent IT security conference, I spoke with a customer about an alert (TA18-276A) that the United States National Cybersecurity and Communications Integration Center (NCCIC) released late last year. The alert, titled “Using Rigorous Credential Control to Mitigate Trusted Network Exploitation,” outlines recommendations on how to overcome these challenges. In this blog, I’ll discuss how Conditional Access and detection of malicious use of tools and protocols can address the NCCIC’s recommendations.
The alert provides information on how Advanced Persistent Threat (APT) actors are using multiple mechanisms to acquire legitimate user credentials. Once acquired, attackers can use the credentials to exploit trusted network relationships, in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Some of the suggested NCCIC best practices for administrators to mitigate these threats include rigorous credential controls and privileged-access management, as well as remote-access control and audits of legitimate remote-access logs.
UPDATE (Jan. 25): Recent news reports state a deal has been reached to re-open the federal government through Feb 15. The issues outlined in this blog continue to apply to public and private sector organizations.
As many of you may have read in the news recently, the government shutdown has had a negative impact on both federal and enterprise security. Krebs on Security has reported possible consequences of the government shutdown on the talent pool, such as federal employees actively being recruited by the private sector, as well as delays on security clearances. Duo Security’s news arm, Decipher, has also done a great job laying out potential government shutdown impacts on enterprise security, including delays on NIST guidelines and standards, and closure of FIPS validation sites.
TV shows, movies, and video games seem to take a lot of heat (fairly or not) for contributing to a mixed bag of societal problems. When setting your passwords, make sure to take your cues from movies like Ocean’s Thirteen’s Livingston Dell and Mad Max’s Furiosa - rather than examples like James Bond using his coworker’s name as the only password for $120 million in gambling winnings. Kanye’s infamous “000000” iPhone password, typed in full view of White House press cameras, comes to mind.
What password would you use for a bank account soon to be worth $120 million?
Most of us still dream practical, down to earth, old fashioned dreams. And I’d place a bet that not many people, if any, dream about their credentials being stolen. Almost all of my memories from the last 15 years or so are stored digitally. The majority of my day to day activity is managed online. My online persona is almost identical to my physical one. I imagine that many of you are in the same situation.
Topics: Credential Compromise
At the recent Gartner Security & Risk Management Summit, analysts presented their findings on the top technologies for information security and their implications for security organizations in 2018. At the event Neil MacDonald highlighted Top 10 Security Projects for Security and Risk Management Organizations. He continues by emphasizing that these are projects with real supporting technologies that CISOs should be exploring.