While use of compromised credentials in attacks isn't new, the growing trend is cause for consideration. Adapting our mindsets and actions to the changing nature of attackers is essential to achieving success in our efforts.
The kick-off conversation of our _Party Crashers _Summer Series held a few “aha moments” and revelations. More than just looking at the changing mindset and methods of attackers, we considered what it means for us. We explored how to rise above the noise and get more value from our existing security investments.
Here are the three big lessons learned:
1. The big aha - attackers are organized and run like businesses
The growing volume and value of our systems and information creates incentive for more attackers. More, it drives a shift in the way attackers operate.
Attackers progressed from individuals with a broad and deep skillset to organized operations using supply chains and other elements of successful businesses. Attackers invest in improving precision and skill at each stage of the attack. Further, the growth and maturation of attackers introduced functional marketplaces -- complete with refunds if your purchase (of stolen goods) doesn't work as expected.
As Jay Roxe explained, “Our ability to detect and investigate attacks has to increase to keep pace. Since attackers can easily monetize almost any ill-gotten data, they're looking for an easy way to avoid existing defenses and extract data. Credentials are a perfect way to do that.”
The changing nature of the attacker ecosystem signals the need for us to adapt and pivot, too. This is entirely a time for optimism.
2. [Poll results] Our mindset is shifting, actions catching up
Part of our optimism lies in the evidence our mindset is already shifting. An important change is the realization that breach is no longer if, but when. It means setting aside the “prevention bias” to “assume breach.” When polled, over 70% of the people who responded indicated they already adapted and now “assume breach.”
|Do you assume you are already breached?||Percentage|
|A. Yes, I do||71%|
|B. No, I don't||29%|
Prevention continues to play an important role, but no longer at the exclusion of detection and response. The key is striking the right balance. It also means considering where to look (among other things).
For example, during the discussion, we touched on the importance of authentication as a key element of the credential. That means considering the role of configuration, operation, and use of common authentication mechanisms, like passwords. To that end, we asked how many people -- the majority who assume breach -- were paying attention to authentication.
Are you paying attention to your password/authentication system(s)?
Would you know if someone was attacking it?
|C. I don't know||15%|
While passwords are only one aspect of compromised credentials, the results of this poll perhaps suggest an opportunity to shift our actions in ways to match our mindsets. Instead of placing too much attention on authentication, we'll explore opportunities for improvement in the coming parts of the series.
3. Compromised credentials changing the demands of incident response
Compromised credentials are important enough in the process that attackers generally look to gather several. Broader than aiding in the attack, a cache of credentials provides a measure of redundancy. In the event the account they are using gets discovered and shut down, they have more.
With the ability to move with the cover of compromised credentials, finding and shutting a single compromised account down is not generally the only indicator of attack -- or a measure of success. This means considering the implications of our changing network topologies. Realizing the common thread of multiple stores of data and a multitude of devices places a new focus on understanding accounts.
People are at the center. This is a fantastic opportunity to establish relationships with the people we serve and help them while protecting the systems and information they rely on. Ultimately, we need to consider how to measure and recognize when accounts are compromised and acting in unusual ways.
Added bonus: overcome security fatigue to drive results
Asked early in our conversation was whether we'd share ways to overcome the “security fatigue” most of us experience when trying to explain the changing nature -- and sometimes maddening pace -- of attacks. We will.
This series is designed for us, security professionals, to come together and explore the changes in mindset and actions necessary for our success. As the series continues, we'll work together to explore the elements necessary to build an effective business case and get the funding to make necessary adjustments. The added benefit of the series, then, is how it serves as a roadmap to guide your conversations and share these concepts with anyone.
Keep the conversation going
The key to making this series work for you is getting involved. Jump in and share your experiences, ask your questions, and help us guide the series to meet your needs, too.
Some ways to join in:
Say it on SecurityStreet:
Take it to twitter
@catalyst -- tweet to me directly, and use the hashtag #PCSS14 to signal out questions, comments, and observations.
Invite others to join our journey:
See how Rapid7 helps you easily detect attacks involving compromised credentials and download our free toolkit: