Control compromised credentials: From careless to criminal
Improve security through logon controls and alerts that limit risk-inducing behavior and limit the potential for compromised credentials.
Published August 23, 2017Credentials are double-edged sword. On the one hand, they are the necessary basis by which employees gain access to resources necessary to do their jobs. But, the flip-side is they also become the potential means by which a malicious insider or external threat actor gains the very same access to do harm.
The real threat here is obviously not when a user simply does their job; it’s when the credentials in question are compromised — whether leveraged by their assigned user, another employee, or an external attacker — and used for evil.
So, just how real is the compromised credential? And should it become compromised, how much risk does that pose to the organization?
There are two parts of the compromised credential equation. The first is the carelessness of your organization’s users. Logging onto the corporate network becomes so routine, users often forget their username and password are sensitive pieces of information. And yet, despite this, IS Decisions research found that 49% of employees share their credentials with fellow employees and 52% see no risk to their employer in doing so. And these aren’t just low-level users with little access to sensitive information; these are users from legal, HR, IT, Finance, and more.
To make matters worse, these shared sets of credentials very likely have far more access than needed. In a Ponemon Institute report, 71% of end users stated they frequently or very frequently have access to information they shouldn’t, making most of your users potentially over-privileged to begin with.
Add this all up and you have an environment of users with too much access sharing that access with others — it’s a recipe for disaster.
Misuse of privileges is a common attack method in successful data breach incidents. This brings us to the second part of the compromised credential equation: the criminal actions of insiders and external threat actors.
Insider threats (which make up approximately one-third of all data breaches) certainly become far easier when you can leverage both your own and a fellow employee’s credentials to maliciously access valuable sensitive data.
Likewise, external attackers leverage the use of stolen credentials to gain footholds within an organization, establish persistence, laterally move within the network, and find valuable data to exfiltrate. External actors compromise credentials via malware designed to record keystrokes (remember all that password sharing going on?), making their task of gaining access to your valuable data even easier.
So, how can you identify when any part of the compromised credential equation occurs?
It’s quite simple, really. It begins with watching your logons.
By auditing logons, you can spot password sharing (as indicated by the same user logging onto many machines or many simultaneous logons of the same account), potential insider threats (“Why is Sally logging in at 1am on a Thursday?”), and even external attackers (odd logon times, multiple logon attempts to servers, etc.).
Native Windows auditing can provide some of this detail, but logon audit events are stored on a per-system basis, making it a daunting task to see the logon “big picture”. Third-party solutions do exist that automate the centralized auditing of logons, while also providing additional notification of specific suspect events, as well as policy-based control over logons (e.g. system restrictions, concurrent logons, etc.).
By gaining visibility into your logons, you will have a better idea of just how much risk the organization faces daily. Understanding whether you have a problem is definitely the first step. It’s only by also putting controls in place to limit the risk-inducing behavior that your organization will begin to improve its security stance and limit the potential for compromise.