Why break in, if you can simply login?

I was asked the other day why so many security breaches are hitting the headlines and are seemingly getting larger and more frequent. The game of cyber security has changed significantly over the years and defenders are slow to modify their playbooks and tactics. The fundamental problem is that defenders are waiting and ready for attackers to hack through the firewall but in truth the attackers are simply logging in using legitimate credentials that they attained by some other illicit method.

There are a few terms floating around the industry these days that describe this problem. Insider threat, credential abuse – they all describe the fact that either via some phishing attack or the simple purchase of credentials on a dark market, an attacker is logging in and operating on your network for months, maybe even years, as they impersonate a known user to your systems. Their tactic then becomes to gain more knowledge of your architecture and to gain the access needed to achieve their objective, which in most cases will involve the exfiltration of data.

Security products classically operate well when known bad things happen. Exploits are run, attack patterns executed, malware transported. But they fall short when the attack appears to be a legitimate user. Detecting attacks that access systems with stolen credentials requires a completely different set of instrumentation, telemetry and security tools. In today’s world, defenders need to have the tools to detect both traditional attacks and those involving stolen credentials or insider information. Both of these detection techniques should be able to work in concert to ensure attackers are not given the opportunity to put organizations of all sizes in the headlines.

Here is a simple question to determine if your current systems can detect this type of intruder: If one of your user accounts is compromised, how would you go about finding out which one and how quickly could you do it? For most, “I have no idea” is they typical answer. Others have the tools do this, it just takes too long and the investigation itself can be disruptive to all of the other priorities facing the security team.

The intelligence and telemetry you can use to catch these bad actors roaming around your network is not universal, it is unique to your business. Much can be done when one understands and can use their network telemetry as a security tool. Behavioral patterns on your network can include the relatively common, such as the behaviors that users exhibit in the two weeks before they turn in their resignation. But attackers can also be incredibly bold in how they behave on the network because, in most cases, they evade detection as long as they continue to use stolen credentials. The truth is that all of these things are happening on your network right now, you just don’t have the telemetry to detect it – yet.

I urge you to challenge yourself. If someone in the HR department started to poke around the source code repository or the financial systems, would you be able to detect it? If a user transferred 500 gigs or more to another system, could you call it into question? While I don’t have all the answers, these are the types of questions you should be able to answer about the organization you protect.