James Thew - Fotolia

Compromised credentials: What can enterprises do?

Attackers use compromised credentials to infiltrate enterprises undetected and steal corporate data. Expert Nick Lewis offers the best ways to handle this threat.

A recent report from Dell SecureWorks' Counter Threat Unit detailed how attackers use compromised credentials to avoid detection when breaching a network. If legitimate credentials are used, how can enterprises stop such attackers? And what is the best way to determine if information was potentially compromised or stolen?

The difference between insider threats and compromised credentials are minimal, as is distinguishing internal threats from external malware attacks. In the simplest form, the same security monitoring that is used to detect an insider threat could also be used to detect an attacker using compromised credentials. The same authentication logs can be monitored to identify suspicious behavior, such as irregular account login times or login attempts from new IP addresses.

An enterprise can stop such attackers by changing passwords and restricting network access to the attackers IP addresses. This could give the enterprise time to determine what systems and accounts were compromised and then implement the appropriate remediation steps, which could require reinstalling the operating system from known secure media.

An enterprise could determine if information was potentially compromised or stolen by using the list of systems or accounts that were accessed by the attacker. Security teams should determine what information was stored on the systems that could have been accessed using the compromised credentials, then examine any logs for potential file accesses from the operating system or a host-based intrusion detection system. Many times individual file accesses are not logged because of the high volume of log data generated, so network log data could be reviewed to see how much data was transferred during the suspected breach.

This level of network log data on individual hosts communicating on a local network isn't often stored because of the resources needed to keep it, but data to and from the Internet might be useful to store for incident response. The data could be logged by a NetFlow collector or network monitoring tool, but even with the log data, it may be difficult to determine whether that data was accessed.

As mentioned by the Dell SecureWorks' CTU report, the best preventative security controls for compromised accounts are two-factor authentication and privilege management. Two-factor authentication can prevent the initial account compromises, and, if that measure fails, privilege management tools can help limit the attacker's ability to move freely within the environment and access sensitive systems and data.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Read more on the increase of fileless malware attacks on enterprises

Find out how a Steam software bug led to compromised accounts

Learn about the Vawtrak banking malware's ability to bypass two-factor authentication

This was last published in March 2016

Dig Deeper on Enterprise identity and access management