How a vantage point sees threats before they impact
Seldom does a month go by in which the IT industry observes another near-breach event.
When the focus has been on adversaries that develop increasingly complex and sophisticated attacks, tried and true techniques such as compromised credentials continue to be amongst the most potent weapons.
According to Verizon's latest DBIR Report, 80% of confirmed data breaches involved weak, default or stolen passwords, or brute force credential compromises.
The risk will vary depending on the level of access it provides. Privileged credentials (e.g. administrative accounts) give access to systems and devices, sensitive data or unfettered rights to move within the infrastructure.
Not to be forgotten are service email accounts (e.g. firstname.lastname@example.org) that often deliver the deepest level of access into a company. Service accounts are used by machines rather than humans, so they cannot easily leverage the added security of one-time passwords and MFA.
These are observed frequently. While they differ in their own way, they follow a similar pattern (directionally following an attack framework of choice):
- Reconnaissance using publicly available information or inadvertently exposed information. At a minimum, this gives insights into the accounts to target or visibility into access credentials that have been inadvertently disclosed. There are an innumerable variety of ways that credentials can be compromised; ranging from public information on social media, websites, or even legal documents.
- Cracking the credentials and accessing resources, hosts or servers.
- Movement to accounts or hosts of privilege to eventually get to its target. Close collaboration between a cloud access security broker and a cloud-native endpoint protection company has shown that it takes an intruder one hour and 58 minutes to jump from the machine that's initially compromised and begin moving laterally through a network.
While organisations want to secure all three fronts, the likelihood of preventing every instance of credential abuse is foundationally difficult. IT must be right every time — but the attacker needs to be right only once. Most security teams are hard-pressed to confirm, let alone respond to compromises before movement occurs.
It's therefore imperative to observe and track activity on all fronts, using solutions which see attacks after credential compromises have occurred but before the impact of a breach. That position delivers direct visibility into initial access to apps, systems and data; especially when they trigger anomalous, unexpected behaviours that are indicative of malicious activities.
To learn how an organisation can gain full visibility and control over the wide range of applications that employees use to perform their work duties, it's advised that organisations evaluate cloud access security brokers, and choose the most effective.