Want to prevent external attacks? It's all about the logon.
There’s one aspect of an external attack that is always true: the attacker needs a way to logon.
Published September 18, 2017It’s tough to come up with an effective countermeasure to external attacks when you can’t see your enemy. While there are plenty of stories in the news of how organizations fell prey to a very specific attack, it’s hard to translate that into an actionable response. So, you walk through the “usual suspects” checklist of things to protect against: malware, phishing emails, ransomware, malware, keyloggers, etc. — all to give your organization some sense of “we have this under control."
But, just as you update your tactics and leverage the latest security solution tech money can buy, so do the bad guys.
As an AV vendor updates their detection engines and puts them out to market, the bad guys are testing new variants of rootkits and malware against those engines to determine exactly how to enter your network undetected.
So, looking beyond all the protective measures you should be putting in place, the question becomes: how do you detect when an attacker is inside your network?
After all, most security solutions today react to behavior. They’re looking for actions based on historical data that indicates the potential for malicious activity. Attacks tend to follow a similar pattern, so it makes sense for vendors to educate themselves on the patterns and create a defense. But, like we said above, the bad guys know this. So they're always working to come up with new attack methods that avoid detection.
But even so, there’s one aspect of an external attack — particularly those where the goal isn’t to simply infect one machine, but to truly infiltrate and extend their reach within your network — that always rings true:
The attacker is going to need to logon.
In external attacks involving attempted or successful data breaches, stolen or compromised credentials are responsible for almost half of all breaches. In nearly every industry, credentials are found in a material percentage of breaches. Why? Because they're the key to access valuable data.
And for every set of compromised credentials, there will be at least one logon event when it’s used. Regardless of the kind of logon (local, remote, via SMB, via RPC, etc.), you can’t use credentials without logging on.
So, while you’re busy trying to figure out which security measure to focus on first, and what solutions you should implement to provide the best security stance possible, keep in mind that you have a foolproof way to stop the horizontal killchain: at the logon.