The majority of today's breaches involve lost or stolen credentials, and this week Target confirmed that this was also the case in their breach, discovered in December. It seems stolen credentials associated with a third party vendor were used to enter the corporate network, and the attackers were then able to move stealthily through the IT environment to gain access to the point of sale system. Brian Krebs' interesting analysis of clues from the investigation hints that a machine account with elevated privileges seemed to be the pivot for the attacker to be able to move from the vendor system (apparently an HR system) to the point of sale system.
Could this have been identified to alert Target before the attackers could do any real harm?
The challenge is that current security incident detection systems aren't looking for deceptive activity. They look for system vulnerabilities and are not able to detect users with elevated privileges accessing systems that they would typically not access. Or in other words, they don't see abnormal user authentication patterns and identify indicators of deception by observing changes in user behavior. Without having the capability to detect any indication of deception in the network, attackers are left undetected for a sufficient amount of time to do just about anything they want.
We believe that the level of sophistication of attackers is increasing, while the consumerization of IT is making every user in the environment - be they employees or vendors - an individual point on the perimeter that must be considered as potentially under attack at any time. We need relevant solutions to address this, which is why we developed Rapid7 UserInsight; so you can detect the use of compromised credentials (as in the Target case). By identifying abnormal user behavior patterns and tracking user privileges, UserInsight can provide early alerts of potential deception-based attacks.