News Stay informed about the latest enterprise technology news and product updates.

Is user activity monitoring the only way to spot stolen credentials?

Anomaly-based user activity monitoring is the only measure that can stop Target-like attacks that utilize stolen credentials, experts say.

Stolen account credentials have played a part in several massive data breaches, including the recent Target Corp. payment card data breach, leaving enterprises to question just how they can fend off attacks utilizing legitimate login details. One expert said user activity monitoring may be the only answer.

Minneapolis, Minn.-based Target suffered a massive data breach over the holiday shopping period, exposing approximately 40 million customers' credit and debit card information, along with the personal details -- names, addresses, email addresses and phone numbers -- of as many as 70 million additional customers.

In January, Target spokeswoman Molly Snyder confirmed that the Fortune 500 retailer's ongoing forensic investigation of the incident showed that stolen credentials from a third-party vendor played a part in the breach, though Target has declined to name the vendor or the type of credentials used.

Journalist Brian Krebs reported Wednesday that the stolen credentials used in the Target breach belonged to Fazio Mechanical Services, a refrigeration and HVAC contractor based in Sharpsburg, Penn. Ross Fazio, president of the regional company, confirmed to Krebs that investigators from the U.S. Secret Service visited the company in relation to the breach investigation. Fazio's client list reportedly includes many other national and regional chains, including Whole Foods Market Inc., Food Lion LLC and Trader Joe's, though Fazio issued a statement Thursday denying that any of its other customers were affected in relation to the Target incident.

Dr. Anton Chuvakin, research director for Stamford, Conn.-based research firm Gartner Inc., was surprised to see stolen credentials reportedly used as the initial attack vector in the Target breach, but said that enterprises are bound to encounter attacks utilizing legitimate, stolen credentials, regardless of the proactive security measures put in place to ensure credentials are safe.

For example, attackers can easily steal user credentials with a well-executed spear phishing campaign. Such attacks are nearly impossible to thwart completely, according to Chuvakin, even if an organization implements user training, URL reputation filtering, and other anomaly detection services for email. Once inside an organization, Chuvakin said that is typically when attackers steal additional credentials and use them to move laterally throughout the corporate network, collecting more login details and sensitive data along the way.

User activity monitoring: How-to and examples

Instead of relying solely on perimeter defenses to keep usernames and passwords out of attackers' hands, Chuvakin said organizations should focus on identifying when an account has been compromised. To do that, he advocated for monitoring end-users' activity to pick up on any strange login behavior.

Successful activity monitoring begins with user login attempts. Chuvakin noted that a great deal of information about users can be determined as soon as they enter login details.

A lot of things can be done by algorithms, but there is still the need for somebody to say, 'That looks pretty bad.'
Dr. Anton ChuvakinResearch Director, Gartner Inc.

For example, an IP address can be used to determine a user's Internet service provider and location within a particular country. Details about a user's computing devices, including whether it's a PC or mobile device, and even the Web browser and version being used can be determined.

By using security information and event management (SIEM), network forensics and anomaly detection tools, login trends can be collected over time and used to create a baseline for each user's behavior, according to Chuvakin. An attacker is likely to log in with stolen credentials from an abnormal location at an unusual time, said Chuvakin, possibly even using a machine running a different operating system than what the actual user has.

Automated security tools can only take an organization so far in this battle, Chuvakin noted, regardless of what many vendors would lead enterprises to believe. If a U.S.-based employee were to switch to a different department and move to China, for example, automated tools would likely flag a login attempt based on that user's typical behavior.

"A lot of things can be done by algorithms, but there is still the need for somebody to say, 'That looks pretty bad,' or 'No, based on what I know, this is not a compromise.'" Chuvakin said. "That's just the context that a machine may not have, but the human analyst can figure it out."

Leonid Shtilman, chief executive officer of Waltham, Mass.-based privilege management vendor Viewfinity Inc., agreed that IP addresses can play a pivotal role in fending off credentials-based attacks. During login attempts, Shtilman believes companies should utilize the details provided by IP addresses -- particularly the location of the user -- to limit access to certain parts of the network.

If, for example, a U.S.-based organization detects a login attempt from China when it has no presence in that country, access should not be granted to any server or database containing sensitive corporate information. Such a login attempt should also trigger an alert for the security team to investigate. These controls should especially be applied to administrative accounts, said Shtilman, so if attackers are successful in stealing admin credentials, a safety net will still exist.

"I don't think [this method makes such attacks] absolutely impossible," Shtilman said, "but you can make life for the intruder so difficult that, for all practical purposes, you will be protected."

For companies looking to implement more advanced monitoring capabilities, there are real-world examples that can provide inspiration, but Chuvakin warned that only organizations with mature security processes tend to be successful.

For example, defense contractor Lockheed Martin's kill chain framework, a particularly successful model that Chuvakin recommends for other companies, actually utilizes some of the methods Shtilman recommends.

Chuvakin also noted an unnamed company that had been able to reduce credential-based attacks by implementing context-aware authentication for employees' mobile devices.

"They wrote an algorithm to combine all the info they know about the device, IP address, location, down to the granular mobile device location," Chuvakin said. "They gathered all the context and increased or reduced the level of access based on that context." If data indicates a device isn't where it should be, the user is granted a diminished level of access.

While some in the security industry believe two-factor authentication and other security tools will help eliminate credential theft, Chuvakin is not convinced any new technologies are ready to replace usernames and passwords in the near future. Until such a time arrives, he said sophisticated activity monitoring will increasingly become necessary for any organization that wants to avoid credentials-based attacks.

"We keep reading in the media that passwords are dead, or passwords are going to be dead. And you know what? Passwords will be with us for a long time," Chuvakin said. "So we will have to deal with compromised accounts for the foreseeable future."

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What anomaly detection techniques does your organization use to spot stolen authentication credentials?
UserLock for Windows Networks, can both detect and prevent stolen credentials being used to access corporate networks. UserLock sets and enforces a customized access policy which limits/prevents concurrent logins; This stops rogue users who have gained access to stolen credentials from using credentials at the same time as their legitimate owner. Access Restrictions on location and time also helps organizations avoid these attacks. What's more real-time monitoring of all logon events and alerts helps track all employee access and access attempts to mitigate the risk of these security breaches.
It can be very difficult to track and alert on malicious use, especially if the access is coming from a "trusted" source inside the network. This is also a tricky area given the human involvement/expertise required (as if IT/security folks don't have anything else going on). It pays to ensure you have a solid overall information security program including good malware protection, strong passphrase requirements, DLP, content filtering, network/host IPS, etc.

Good reminder about UserLock for Windows - that seems like a useful tool.
Many security-conscious organizations use UserLock to avoid such credentials-based attack to an AD Infrastructure. UserLock prevents concurrent logins, restricts access by physical location/device and enforces connection time limits to stop malicious users seamlessly using valid credentials. It also stops careless users from sharing passwords - one of the major causes of security breaches.