Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/20/2015
10:30 AM
Idan Tendler
Idan Tendler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

5 Signs Credentials In Your Network Are Being Compromised

Where should you start to keep ahead of attackers using insiders to steal corporate secrets or personal identifiable information? Check out these common scenarios.

As simple as it may sound, creating visibility to the status of user credentials in a network is a sure, safe first step for mitigating user-related threats, such as the “insider threat.” Here are five basic scenarios we advise organizations to monitor, in order to identify when trusted insider credentials may have been compromised:

Scenario 1: The sudden change in office hours
Working hours are not only a strong indicator of an efficient employee, but also an indicator for a compromised credential. Over time, employees tend to adopt a consistent work hour routine. This could manifest in both the specific hours workers arrive and checkout, but also with the durations of morning working sessions, behaviors on “depressing Mondays,” on holidays, etc. Using a baseline behavior pattern, identifying subtle changes in work hours could be the key to identifying whether a credential has been compromised.

Scenario 2. The Impossible Journey
If there is one benchmark even the most competitive sales department can’t achieve, it is crossing the Atlantic in under 6 seconds. That’s why, when you see an employee accessing internal databases from two different continents in a very short time frame, you have another strong indicator of a compromised credential. Pinpointing a user’s location based on network data can be very unreliable. Geo-locations gathered from multiple data sources and representing various kinds of interactions can potentially result in a high rate of false-positives. This requires profiling engines to be both selective and reliable in the data they take into account.

Scenario 3: The implausible remote access
Why would someone who is currently in the office be connected to another internal asset using a remote protocol or application? Obviously, there is no need for this since all allowed assets should be accessible from an employee’s original domestic station. That’s why scenario 3 asks the question: “Why would you use that remote connection anyway?” This is extremely important, since remote protocols are often used by an external attacker seeking to manipulate data from a distant location, or by a trusted insider as a way to mask an action he doesn’t want on record from his own trusted credential.

Scenario 4: The unusual resource usage
Uncommon use of organizational tools and department-dedicated resources is another great way to detect when an insider’s trusted credential is actually being abused. Identifying a user using either a file-share or a CRM his colleagues don’t typically access, could help detect when he himself, or someone using his own rights, is trying to reach a sensitive company resource.

Scenario 5: The password reset
Password reset protocols vary from service-to-service, but to all extent provide a golden opportunity for an attacker to take control of an unused trusted credential. For example, an account used routinely to conduct automated processes is due a password change. An attacker, with some kind of insider access, can target this account and use the mandatory password policy to force a password change and abduct this account for his own purposes. Now in the hands of a malicious attacker, this account could now mask any future action.

Do you have your own personal favorite scenarios to add to the list? Please share in the comments.

Idan Tendler is the Chief Executive Officer and Co-Founder of Fortscale, a provider of Big Data analytics-driven security solutions for Fortune 1000 companies. Before founding Fortscale, Tendler was a lead agent of the 8200, the cyberwarfare division of the Israeli Defense ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
5/22/2015 | 10:38:52 AM
Monitor the status of user credentials in your network with UserLock

In order to have the best visibility on the status of user credentials in a network - have a look at UserLock. UserLock helps prevent outside attacks from compromised credentials, stops unauthorized network access, protects users from their own careless behavior, mitigates the actions of malicious insiders and will also ensure that any access to a company network (and resources inside) is attributed to the authorized individual employee. 

UserLock continuously monitors all network logon events, across all session types (including Wi-Fi, VPN and IIS), automatically applying custom policies that permit or deny authenticated users' access. (limiting concurrent logins, workstation/device restrictions, IP address restrictions, time restrictions etc). You can then track, report and immediately respond to any suspicious logon behaviour. 

With UserLock's layered security and real-time monitoring you can extend the way you easily verify a users' identity to offer the best protection against compromised credentials. 

Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21257
PUBLISHED: 2021-06-18
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. The RPL-Classic and RPL-Lite implementations in the Contiki-NG operating system versions prior to 4.6 do not validate the address pointer in the RPL source routing header This makes it possible for an attac...
CVE-2021-21279
PUBLISHED: 2021-06-18
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. In verions prior to 4.6, an attacker can perform a denial-of-service attack by triggering an infinite loop in the processing of IPv6 neighbor solicitation (NS) messages. This type of attack can effectively ...
CVE-2021-21280
PUBLISHED: 2021-06-18
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. It is possible to cause an out-of-bounds write in versions of Contiki-NG prior to 4.6 when transmitting a 6LoWPAN packet with a chain of extension headers. Unfortunately, the written header is not checked t...
CVE-2021-21281
PUBLISHED: 2021-06-18
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. A buffer overflow vulnerability exists in Contiki-NG versions prior to 4.6. After establishing a TCP socket using the tcp-socket library, it is possible for the remote end to send a packet with a data offse...
CVE-2021-21410
PUBLISHED: 2021-06-18
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be triggered by 6LoWPAN packets sent to devices running Contiki-NG 4.6 and prior. The IPv6 header decompression function (<code>uncompress_hdr_iphc</code>) does not pe...