Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/20/2015
10:30 AM
Idan Tendler
Idan Tendler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

5 Signs Credentials In Your Network Are Being Compromised

Where should you start to keep ahead of attackers using insiders to steal corporate secrets or personal identifiable information? Check out these common scenarios.

As simple as it may sound, creating visibility to the status of user credentials in a network is a sure, safe first step for mitigating user-related threats, such as the “insider threat.” Here are five basic scenarios we advise organizations to monitor, in order to identify when trusted insider credentials may have been compromised:

Scenario 1: The sudden change in office hours
Working hours are not only a strong indicator of an efficient employee, but also an indicator for a compromised credential. Over time, employees tend to adopt a consistent work hour routine. This could manifest in both the specific hours workers arrive and checkout, but also with the durations of morning working sessions, behaviors on “depressing Mondays,” on holidays, etc. Using a baseline behavior pattern, identifying subtle changes in work hours could be the key to identifying whether a credential has been compromised.

Scenario 2. The Impossible Journey
If there is one benchmark even the most competitive sales department can’t achieve, it is crossing the Atlantic in under 6 seconds. That’s why, when you see an employee accessing internal databases from two different continents in a very short time frame, you have another strong indicator of a compromised credential. Pinpointing a user’s location based on network data can be very unreliable. Geo-locations gathered from multiple data sources and representing various kinds of interactions can potentially result in a high rate of false-positives. This requires profiling engines to be both selective and reliable in the data they take into account.

Scenario 3: The implausible remote access
Why would someone who is currently in the office be connected to another internal asset using a remote protocol or application? Obviously, there is no need for this since all allowed assets should be accessible from an employee’s original domestic station. That’s why scenario 3 asks the question: “Why would you use that remote connection anyway?” This is extremely important, since remote protocols are often used by an external attacker seeking to manipulate data from a distant location, or by a trusted insider as a way to mask an action he doesn’t want on record from his own trusted credential.

Scenario 4: The unusual resource usage
Uncommon use of organizational tools and department-dedicated resources is another great way to detect when an insider’s trusted credential is actually being abused. Identifying a user using either a file-share or a CRM his colleagues don’t typically access, could help detect when he himself, or someone using his own rights, is trying to reach a sensitive company resource.

Scenario 5: The password reset
Password reset protocols vary from service-to-service, but to all extent provide a golden opportunity for an attacker to take control of an unused trusted credential. For example, an account used routinely to conduct automated processes is due a password change. An attacker, with some kind of insider access, can target this account and use the mandatory password policy to force a password change and abduct this account for his own purposes. Now in the hands of a malicious attacker, this account could now mask any future action.

Do you have your own personal favorite scenarios to add to the list? Please share in the comments.

Idan Tendler is the Chief Executive Officer and Co-Founder of Fortscale, a provider of Big Data analytics-driven security solutions for Fortune 1000 companies. Before founding Fortscale, Tendler was a lead agent of the 8200, the cyberwarfare division of the Israeli Defense ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
5/22/2015 | 10:38:52 AM
Monitor the status of user credentials in your network with UserLock

In order to have the best visibility on the status of user credentials in a network - have a look at UserLock. UserLock helps prevent outside attacks from compromised credentials, stops unauthorized network access, protects users from their own careless behavior, mitigates the actions of malicious insiders and will also ensure that any access to a company network (and resources inside) is attributed to the authorized individual employee. 

UserLock continuously monitors all network logon events, across all session types (including Wi-Fi, VPN and IIS), automatically applying custom policies that permit or deny authenticated users' access. (limiting concurrent logins, workstation/device restrictions, IP address restrictions, time restrictions etc). You can then track, report and immediately respond to any suspicious logon behaviour. 

With UserLock's layered security and real-time monitoring you can extend the way you easily verify a users' identity to offer the best protection against compromised credentials. 

COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...