As simple as it may sound, creating visibility to the status of user credentials in a network is a sure, safe first step for mitigating user-related threats, such as the “insider threat.” Here are five basic scenarios we advise organizations to monitor, in order to identify when trusted insider credentials may have been compromised:
Scenario 1: The sudden change in office hours
Working hours are not only a strong indicator of an efficient employee, but also an indicator for a compromised credential. Over time, employees tend to adopt a consistent work hour routine. This could manifest in both the specific hours workers arrive and checkout, but also with the durations of morning working sessions, behaviors on “depressing Mondays,” on holidays, etc. Using a baseline behavior pattern, identifying subtle changes in work hours could be the key to identifying whether a credential has been compromised.
Scenario 2. The Impossible Journey
If there is one benchmark even the most competitive sales department can’t achieve, it is crossing the Atlantic in under 6 seconds. That’s why, when you see an employee accessing internal databases from two different continents in a very short time frame, you have another strong indicator of a compromised credential. Pinpointing a user’s location based on network data can be very unreliable. Geo-locations gathered from multiple data sources and representing various kinds of interactions can potentially result in a high rate of false-positives. This requires profiling engines to be both selective and reliable in the data they take into account.
Scenario 3: The implausible remote access
Why would someone who is currently in the office be connected to another internal asset using a remote protocol or application? Obviously, there is no need for this since all allowed assets should be accessible from an employee’s original domestic station. That’s why scenario 3 asks the question: “Why would you use that remote connection anyway?” This is extremely important, since remote protocols are often used by an external attacker seeking to manipulate data from a distant location, or by a trusted insider as a way to mask an action he doesn’t want on record from his own trusted credential.
Scenario 4: The unusual resource usage
Uncommon use of organizational tools and department-dedicated resources is another great way to detect when an insider’s trusted credential is actually being abused. Identifying a user using either a file-share or a CRM his colleagues don’t typically access, could help detect when he himself, or someone using his own rights, is trying to reach a sensitive company resource.
Scenario 5: The password reset
Password reset protocols vary from service-to-service, but to all extent provide a golden opportunity for an attacker to take control of an unused trusted credential. For example, an account used routinely to conduct automated processes is due a password change. An attacker, with some kind of insider access, can target this account and use the mandatory password policy to force a password change and abduct this account for his own purposes. Now in the hands of a malicious attacker, this account could now mask any future action.
Do you have your own personal favorite scenarios to add to the list? Please share in the comments.