Just like locking your front door is crucial to protect your house, monitoring account logins to organizational servers and workstations is crucial to detect password cracking attempts. Cybersecurity attackers are motivated to gain access to sensitive data and systems, or to use entry to pivot to other valuable targets like supply chain partners. An astonishing 80% of hacking-related breaches involve compromised or weak credentials, according to the 2019 Verizon Data Breach Investigation Report (DBIR).
Login attacks occur when hackers impersonate a valid user, such as a system administrator (sysadmin), by stealing login credentials to gain access to critical systems and steal sensitive data, or for corporate espionage. Small and mid-sized businesses (SMBs) with their finite IT staff and expertise can become the path of least resistance for hackers. There are three primary types of authentication threats to watch for:
It is important that you know these types of attacks so that you can identify foul play on your network. The ultimate login target for hackers is compromising privileged accounts to access systems in the data center or pivot to databases that can be monetized such as credit cards or gift card inventory.
There are direct and indirect costs associated with credential-based attacks, especially those that result in information loss and a public data breach. Organizational and customer impacts may have far reaching affects far beyond an actual compromise or security event. Supply chain partners or customers may lose confidence in you and defect for one of your competitors.
Monitoring by security experts can detect unusual traffic volumes or geolocations that are worth investigation. Multiple logins over a short period of time are another telltale sign of suspicious activity. A Security Information and Event Management (SIEM) platform with 24/7 monitoring from a Security Operations Center (SOC) and Endpoint Detection and Response (EDR) offers real-time visibility and early threat detection by reducing the attack surface and pinpointing attacks before data exfiltration occurs. Data breaches are often uncovered after the fact when account logins, loyalty points, or credit card numbers are posted for sale in criminal forums.
Updated password practices and login hygiene are some crucial methods for attack surface reduction. Avoid reusing passwords, known as password recycling, across various accounts such as entertainment and business accounts. Some countermeasures to combat account takeover include:
User and Entity Behavior Analytics (UEBA) capabilities are the baseline of typical user performance and identify suspicious activity such as logins from different or unusual devices, geolocations, or time zones. Behavior analytics can rapidly detect insider anomalies and external threats. Hackers might be able to rob your identity, but they can’t steal your user behavior.
Implement two-factor authentication for privileged account users like sysadmins that have “VIP” access to Active Directory and Domain Controllers. Policies of least privilege and role-based access control (RBAC) capabilities limit the exposure and reduce the tendency to make every executive a “super user” which increases organizational risk.
Reinforce the importance of login best practices and effective password hygiene. Since users are the weakest link, include tips about minimizing over-sharing on social media that can disclose weak password information such as birthdate, hometown, and names of children, for instance.
The National Institute of Standards and Technology (NIST) has issued NIST 800-63 with long-overdue changes and recommendations regarding digital identity and passwords. The guidelines recommend the removal of periodic password changes that merely cause users to write them down or forget them, the elimination of certain complex combinations of letters and numbers in passwords, and comparing new user passwords against lists of both frequently used passwords as well as compromised passwords already exposed publicly and presumably on criminal forums for sale.
Adopt ways to reduce legacy infrastructure and outdated practices that can weaken your cybersecurity. Implementing segmentation to separate critical applications on your network into subsections can enhance control, performance, and cybersecurity by limiting the “blast radius” for hackers. It’s also important to continuously inventory your infrastructure to minimize drift over time and identify unmanaged devices such as those from rogue employees or visiting vendors.
Enhance your security operations to continuously improve visibility and defenses. Anomalous login detection uncovers stealthy cyber criminals intent on gaining the “keys to your kingdom” to access VIP accounts in order to pivot to other sensitive data. Employ countermeasures such as UEBA, SIEM, and EDR built into Netsurion’s EventTracker platform to detect and block account takeover before damage occurs. Comprehensive SOC monitoring enables you to predict, prevent, detect, and respond (PPDR) to advanced threats and interrupt numerous steps in the cyber kill chain.
Subscribe to Lumifi's Daily Cybersecurity News Curated by a CISO
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.