A recent report from Dell SecureWorks' Counter Threat Unit detailed how attackers use compromised credentials to...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
avoid detection when breaching a network. If legitimate credentials are used, how can enterprises stop such attackers? And what is the best way to determine if information was potentially compromised or stolen?
The difference between insider threats and compromised credentials are minimal, as is distinguishing internal threats from external malware attacks. In the simplest form, the same security monitoring that is used to detect an insider threat could also be used to detect an attacker using compromised credentials. The same authentication logs can be monitored to identify suspicious behavior, such as irregular account login times or login attempts from new IP addresses.
An enterprise can stop such attackers by changing passwords and restricting network access to the attackers IP addresses. This could give the enterprise time to determine what systems and accounts were compromised and then implement the appropriate remediation steps, which could require reinstalling the operating system from known secure media.
An enterprise could determine if information was potentially compromised or stolen by using the list of systems or accounts that were accessed by the attacker. Security teams should determine what information was stored on the systems that could have been accessed using the compromised credentials, then examine any logs for potential file accesses from the operating system or a host-based intrusion detection system. Many times individual file accesses are not logged because of the high volume of log data generated, so network log data could be reviewed to see how much data was transferred during the suspected breach.
This level of network log data on individual hosts communicating on a local network isn't often stored because of the resources needed to keep it, but data to and from the Internet might be useful to store for incident response. The data could be logged by a NetFlow collector or network monitoring tool, but even with the log data, it may be difficult to determine whether that data was accessed.
As mentioned by the Dell SecureWorks' CTU report, the best preventative security controls for compromised accounts are two-factor authentication and privilege management. Two-factor authentication can prevent the initial account compromises, and, if that measure fails, privilege management tools can help limit the attacker's ability to move freely within the environment and access sensitive systems and data.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how a Steam software bug led to compromised accounts
Dig Deeper on Enterprise identity and access management
Related Q&A from Nick Lewis
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
The GD library used in the Junos operating system has opened Junos up to attacks. Nick Lewis explains how it happened and what it means for companies...continue reading
Antivirus software is crucial to your device's security. However, less is often more, especially when considering a secondary free antivirus program....continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.