Change Your Risk Mindset to Level the Security Playing Field

Cybercriminals, nation-state actors, and malicious insiders are actively targeting organizations for financial gain, to steal secrets and intellectual property, disrupt operations, and harvest personally identifiable information (PII). According to the 2020 Verizon Data Breach Investigations Report (DBIR), in that year alone, more than 80% of reported breaches used valid credentials or were from brute-force attacks.

Keeping up with attackers requires a deeper understanding of the risk in your environment — behavioral context — about every user and asset. The data science behind this context, amplifying the rules you already have, arms you with a picture of normal activity, which is likely the best defense available to avoid being blindsided by an attack. By adopting this “assume breach” mindset, you’ll be able to rapidly detect any anomalous behaviors so you can respond faster.

In this post, we’ll examine ways that organizations can better understand their risk, improve their threat detection and incident response (TDIR) capabilities, and level the playing field against sophisticated adversaries.

How attackers using compromised credentials evade most security tools

Adversaries have honed their skills during the COVID pandemic, finding a treasure trove of opportunities to hack organizations and steal their sensitive data. Organizations are struggling to keep up with the increasing number and sophistication of cyberattacks, resulting in security teams being overwhelmed by false positive alerts, becoming firefighters, rather than proactively securing the environment. 

There are many reasons why the use of compromised credentials is so difficult to defend against:

• Attacker actions while using legitimate credentials will not trigger typical alarms that would initiate an investigation
• Attackers moving laterally or escalating credential privileges may seem like normal activity
• The response needs to happen fast, and the complexity of products required is challenging
• Security teams must often take separate actions in point products, allowing more time for attackers to establish persistence, inhibit system recovery, and encrypt files

The 5 blindspots you need to protect against

1. Compromised user credentials

User account credentials are keys to legitimate access, and according to the Verizon 2021 DBIR, stolen credentials are the number one vector for data breaches. When an attacker uses stolen credentials, their behavior appears legitimate, rendering rules- and correlations-driven security tools defenseless. The attacker can then proceed to access sensitive data or internal resources. Clearly, the impact of compromised user credentials can be devastating.

2. Compromised system/host/device detection

It is very common for attackers to take control of systems, hosts, or devices within an organizational network, and carry out attacks stealthily for months, or even years. According to the IBM Cost of a Data Breach Report 2021, it took companies an average of 287 days to detect a data breach. This timeline underscores the importance of detecting and stopping attacks more quickly. This requires monitoring several vectors. It starts with user accounts to identify anomalous activity, servers for detecting deviations from baseline activity, and network devices to monitor traffic over time and detect unusual spikes. Additionally, monitoring of non-trusted communication sources, insecure protocols, and anti-virus/malware should be in place to detect disablement or removal, or status of threat updates.

3. Rogue insiders

While many of the most well-known breaches have been caused by external adversaries, rogue insiders continue to be a major source of sensitive data loss. Top internal actors in reported breaches have included system administrators, contractors, end users, developers, managers, and executives — essentially anyone could become a rogue insider. “Trusted” behavior doesn’t set off alerts in most security tools; the rogue insider appears to be a legitimate user. Potential bad actors could be either malicious insiders or compromised insiders that are using legitimate access credentials to carry out an attack.

4. Lateral movement detection

A breach through the most commonplace entry point of an organization’s network may quickly become a big problem with undetected lateral movement. The process of lateral movement involves systematically moving through a network in search of sensitive data and assets.

Consider this scenario: A low-level employee’s account gets compromised. Once inside, the attacker searches for vulnerabilities in other assets that allow them to switch accounts, machines, and IP addresses. Finally, the attacker secures administrative privileges. Lateral movement is extremely difficult to detect by most security tools, because the seemingly unrelated events all appear to be normal.  Moreover, the lack of consistency and predictability to this action leaves rules defenseless.

5. Service account misuse

A service account is used in lieu of a normal system account to run specific application services. Typical security tools provide limited or no visibility into service accounts. These accounts often have high privileges, making them high-value targets for attackers. Behavioral analytics can detect service account misuse, automatically identifying service accounts and flagging any abnormal behavior associated with them.

Why legacy SIEM solutions fail

As the central security operations product for threat detection, investigation, and response (TDIR), Security Information and Event Management (SIEM) is a victim of scope creep. The SIEM was conceived when the security environment consisted of finite data and predictable threat monitoring, enabling it to thrive using static correlation rules. Organized cybercrime, nation-state actors, big data workloads, cloud applications, remote workers, and compliance reporting, have transformed the threat landscape, and today’s SIEM requirements scarcely resemble its initial purpose. While legacy SIEM solutions work well against known threats in determined perimeters, they struggle to offer a compelling defense against the five above-mentioned blindspots. 

Legacy SIEMs were not designed to understand what normal behavior looks like for users and assets — a weakness that allows adversaries to gain access, move laterally, and potentially dwell in a network for weeks or months while expanding the attack. However, next-generation products with behavioral analytics can provide deeper visibility, automatically distinguishing different types of behavior and effectively escalating anomalies.

Summary

Having a deep understanding of what normal activity and behaviors look like in your environment — behavioral context — will allow you to quickly detect abnormal behaviors that indicate that an attacker has intruded. Having this behavioral context working in tandem with existing rules fortifies your defenses, helping to shine a light on the most common security blindspots.

Learn more about Breach Protection

To learn more about how to better manage your risk to protect your blindspots, download our eBook, “Planning Before the Breach: You Can’t Protect What You Can’t See.” And join us for a live webinar where we’ll discuss:

• How to better understand your risk
• How to improve your security detection and response capabilities
• Ways to level the playing field against sophisticated adversaries