Vulnerabilities / Threats

5/20/2015
10:30 AM
Idan Tendler
Idan Tendler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

5 Signs Credentials In Your Network Are Being Compromised

Where should you start to keep ahead of attackers using insiders to steal corporate secrets or personal identifiable information? Check out these common scenarios.

As simple as it may sound, creating visibility to the status of user credentials in a network is a sure, safe first step for mitigating user-related threats, such as the “insider threat.” Here are five basic scenarios we advise organizations to monitor, in order to identify when trusted insider credentials may have been compromised:

Scenario 1: The sudden change in office hours
Working hours are not only a strong indicator of an efficient employee, but also an indicator for a compromised credential. Over time, employees tend to adopt a consistent work hour routine. This could manifest in both the specific hours workers arrive and checkout, but also with the durations of morning working sessions, behaviors on “depressing Mondays,” on holidays, etc. Using a baseline behavior pattern, identifying subtle changes in work hours could be the key to identifying whether a credential has been compromised.

Scenario 2. The Impossible Journey
If there is one benchmark even the most competitive sales department can’t achieve, it is crossing the Atlantic in under 6 seconds. That’s why, when you see an employee accessing internal databases from two different continents in a very short time frame, you have another strong indicator of a compromised credential. Pinpointing a user’s location based on network data can be very unreliable. Geo-locations gathered from multiple data sources and representing various kinds of interactions can potentially result in a high rate of false-positives. This requires profiling engines to be both selective and reliable in the data they take into account.

Scenario 3: The implausible remote access
Why would someone who is currently in the office be connected to another internal asset using a remote protocol or application? Obviously, there is no need for this since all allowed assets should be accessible from an employee’s original domestic station. That’s why scenario 3 asks the question: “Why would you use that remote connection anyway?” This is extremely important, since remote protocols are often used by an external attacker seeking to manipulate data from a distant location, or by a trusted insider as a way to mask an action he doesn’t want on record from his own trusted credential.

Scenario 4: The unusual resource usage
Uncommon use of organizational tools and department-dedicated resources is another great way to detect when an insider’s trusted credential is actually being abused. Identifying a user using either a file-share or a CRM his colleagues don’t typically access, could help detect when he himself, or someone using his own rights, is trying to reach a sensitive company resource.

Scenario 5: The password reset
Password reset protocols vary from service-to-service, but to all extent provide a golden opportunity for an attacker to take control of an unused trusted credential. For example, an account used routinely to conduct automated processes is due a password change. An attacker, with some kind of insider access, can target this account and use the mandatory password policy to force a password change and abduct this account for his own purposes. Now in the hands of a malicious attacker, this account could now mask any future action.

Do you have your own personal favorite scenarios to add to the list? Please share in the comments.

Idan Tendler is the Chief Executive Officer and Co-Founder of Fortscale, a provider of Big Data analytics-driven security solutions for Fortune 1000 companies. Before founding Fortscale, Tendler was a lead agent of the 8200, the cyberwarfare division of the Israeli Defense ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
5/22/2015 | 10:38:52 AM
Monitor the status of user credentials in your network with UserLock

In order to have the best visibility on the status of user credentials in a network - have a look at UserLock. UserLock helps prevent outside attacks from compromised credentials, stops unauthorized network access, protects users from their own careless behavior, mitigates the actions of malicious insiders and will also ensure that any access to a company network (and resources inside) is attributed to the authorized individual employee. 

UserLock continuously monitors all network logon events, across all session types (including Wi-Fi, VPN and IIS), automatically applying custom policies that permit or deny authenticated users' access. (limiting concurrent logins, workstation/device restrictions, IP address restrictions, time restrictions etc). You can then track, report and immediately respond to any suspicious logon behaviour. 

With UserLock's layered security and real-time monitoring you can extend the way you easily verify a users' identity to offer the best protection against compromised credentials. 

Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11469
PUBLISHED: 2019-04-23
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
CVE-2013-7470
PUBLISHED: 2019-04-23
cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.
CVE-2019-11463
PUBLISHED: 2019-04-23
A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive through 3.3.3 allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo.
CVE-2019-0218
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
CVE-2019-11383
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml