Every time an attacker successfully breaches an organization, there is a flurry of articles and tweets attempting to explain exactly what happened so information security teams worldwide are able to either a) sleep at night because they have mitigated the vector or b) lose only one night of sleep mitigating it. Here's the problem: every breach is complex and involves a great deal more malicious actions than are published on your chosen 24-hour news website. The least detected action is the use of compromised credentials, or account takeover. It is completely unpredictable when account takeover will take place in an attack; the most predictable aspect of this action is that it will occur in the vast majority.

Every breach has some group of articles explaining that it "used stolen passwords"

In the hundreds of articles that follow each data breach, a few of them always mention that "hackers used stolen passwords". The reason for this consistency is that compromised credentials can be used in so many different ways and are so often used in conjunction with malware or other hacker tools. To highlight some very recent examples, compromised credentials can be used to:

  1. Initially access a server lacking 2-factor authentication after having stolen them through a phishing campaign (JPMorgan Chase)
  2. Directly access a number of systems containing personal information of customers after spearphishing employees (ICANN and eBay)
  3. Access a vendor web application as a trusted third party to then move deeper into the network via exploits (Target and Home Depot)
  4. Laterally move from system to system via harvested password hashes before discovering an administrator account (Sony, all of the above)
  5. Use a harvested privileged account to access restricted systems for data to be exfiltrated (all of the above)

The major challenge in interpreting these reports is that everyone wants to boil down each attack to a single cause. Much like major catastrophes in other types of complex systems, it is rarely a single point of failure but rather a combination of vulnerable systems and compromised credentials. If you want to blame the initial point of entry as the cause of the breach in an organization taking the "defense in depth" approach, you are neglecting the many other layers that needed to be navigated to successfully move through the network, steal data, and get it to an external server. Many of these intruder actions look a great deal like a malicious insider when viewed in hindsight, but only because legitimate accounts are so heavily used.

Detecting account takeover is difficult because you need to identify subtle changes.

At any stage of the attack, identifying the moment when a legitimate account has been taken over by intruders is both very challenging and integral to identifying an incident early in modern attacks. You must have monitoring in place that has established behavior baselines for the user population on your network. Without knowledge of the activity that is both typical and permitted, spotting the nuance in a user's gradual change in behavior is impossible. It is similar to the way the average person walking down the street in "The Matrix" trilogy would suddenly get taken over by an "agent". For anyone not actively monitoring the matrix, this takeover would go unnoticed, but the "operators" could see it happen and immediately notify the others.

If you want to detect account takeovers on your network prior to the attacker having explored a significant portion of it, you need to understand how users are behaving on your endpoints because that's where the majority of all attacker actions are going to take place. Even if you are collecting the logs from all endpoints (which very few organizations are), if your solution is not attributing all legitimate activity to its responsible users, you can only baseline activity by IP address. This means that a lot of the less common activity for your organization will look more prevalent because of a few individuals that access multiple systems and work from multiple locations. Given only the data and IP addresses in a separate SIEM, most user behavior analytics solutions will identify a great deal of false positives because they lack the context necessary to truly understand what the humans were doing on your network.

The InsightIDR team is obsessively focused on finding ways to identify that moment when intruders start using compromised credentials to move around the network as stealthily as a technically-savvy malicious insider. This is no longer a capability of only the most sophisticated attackers; it is disturbing to see that a moderately skilled individual with a grudge can take a single compromised system or account and move around a network with ease. It is impossible to differentiate every malicious action an account makes from the legitimate operations, so we enrich the data around the legitimate activity for search, alert only when we are fairly certain something is awry (rather than on every anomalous action), and help you backtrack through all notable behavior for a user once they are determined to be a part of an incident.

If you want to see how Rapid7 solutions can help you detect attacks leveraging compromised credentials, check out this resource page and make sure to download our complimentary toolkit filled with relevant resources. You'll see just how much we obsess over detecting that moment.