Just like locking your front door is crucial to protect your house, monitoring account logins to organizational servers and workstations is crucial to detect password cracking attempts. Cybersecurity attackers are motivated to gain access to sensitive data and systems, or to use entry to pivot to other valuable targets like supply chain partners. An astonishing 80% of hacking-related breaches involve compromised or weak credentials, according to the 2019 Verizon Data Breach Investigation Report (DBIR).

Attack Background

Login attacks occur when hackers impersonate a valid user, such as a system administrator (sysadmin), by stealing login credentials to gain access to critical systems and steal sensitive data, or for corporate espionage. Small and mid-sized businesses (SMBs) with their finite IT staff and expertise can become the path of least resistance for hackers. There are three primary types of authentication threats to watch for:

• Brute force attack: An offensive attack that relies on guessing possible combinations of a targeted password, passphrase, or PIN through repeated trial and error attempts.
• Dictionary attack: A cybersecurity hack utilizing an automated wordlist to uncover passwords based on words found in a dictionary.
• Low and slow authentication attack: A slow attack using known factors such as the name of an administrator’s spouse or child, hoping to guess the password to avoid detection and lockout seen with larger-volume login attacks.

It is important that you know these types of attacks so that you can identify foul play on your network. The ultimate login target for hackers is compromising privileged accounts to access systems in the data center or pivot to databases that can be monetized such as credit cards or gift card inventory.

Impacts of Anomalous Login Attacks

There are direct and indirect costs associated with credential-based attacks, especially those that result in information loss and a public data breach. Organizational and customer impacts may have far reaching affects far beyond an actual compromise or security event. Supply chain partners or customers may lose confidence in you and defect for one of your competitors.

• Direct Costs
  Examples of “hard” or direct costs associated with account takeover include lost revenue, the expense of refunds or issuing new credit cards, credit card monitoring expenses, customer communication costs, and related legal fees. It also encompasses remediation costs, such as hiring a forensic investigator or purchasing new technology. There may also be fines levied by regulatory bodies. The average cost of a global data breach in 2019 for organizations of all sizes was $3.82 million per incident, according to the Ponemon Institute. It is also worth noting that about 30% of organizations are hacked a second time within 24 months.
• Indirect Costs
  The “soft” costs, or indirect costs, are no less worrisome than the direct costs. Indirect costs associated with a data leak or actual breach include the time and effort spent resetting logins, the lost productivity associated with internal investigation and remediation, and the loss of brand reputation, as well as customer churn. The ultimate cost is a loss of customer trust and credibility that can impact your organization’s success and even survivability.

Detect Credential-Based Attacks

Monitoring by security experts can detect unusual traffic volumes or geolocations that are worth investigation. Multiple logins over a short period of time are another telltale sign of suspicious activity. A Security Information and Event Management (SIEM) platform with 24/7 monitoring from a Security Operations Center (SOC) and Endpoint Detection and Response (EDR) offers real-time visibility and early threat detection by reducing the attack surface and pinpointing attacks before data exfiltration occurs. Data breaches are often uncovered after the fact when account logins, loyalty points, or credit card numbers are posted for sale in criminal forums.

Defend Against Login Attacks

Updated password practices and login hygiene are some crucial methods for attack surface reduction. Avoid reusing passwords, known as password recycling, across various accounts such as entertainment and business accounts. Some countermeasures to combat account takeover include:

1. Implement behavior analytics:

User and Entity Behavior Analytics (UEBA) capabilities are the baseline of typical user performance and identify suspicious activity such as logins from different or unusual devices, geolocations, or time zones. Behavior analytics can rapidly detect insider anomalies and external threats. Hackers might be able to rob your identity, but they can’t steal your user behavior.

2. Protect privileged account logins:

Implement two-factor authentication for privileged account users like sysadmins that have “VIP” access to Active Directory and Domain Controllers. Policies of least privilege and role-based access control (RBAC) capabilities limit the exposure and reduce the tendency to make every executive a “super user” which increases organizational risk.

3. Enhance security awareness training:

Reinforce the importance of login best practices and effective password hygiene. Since users are the weakest link, include tips about minimizing over-sharing on social media that can disclose weak password information such as birthdate, hometown, and names of children, for instance.

4. Adopt updated password guidelines from NIST:

The National Institute of Standards and Technology (NIST) has issued NIST 800-63 with long-overdue changes and recommendations regarding digital identity and passwords. The guidelines recommend the removal of periodic password changes that merely cause users to write them down or forget them, the elimination of certain complex combinations of letters and numbers in passwords, and comparing new user passwords against lists of both frequently used passwords as well as compromised passwords already exposed publicly and presumably on criminal forums for sale.

5. Reduce your attack surface:

Adopt ways to reduce legacy infrastructure and outdated practices that can weaken your cybersecurity. Implementing segmentation to separate critical applications on your network into subsections can enhance control, performance, and cybersecurity by limiting the “blast radius” for hackers. It’s also important to continuously inventory your infrastructure to minimize drift over time and identify unmanaged devices such as those from rogue employees or visiting vendors.

Bottom Line

Enhance your security operations to continuously improve visibility and defenses. Anomalous login detection uncovers stealthy cyber criminals intent on gaining the “keys to your kingdom” to access VIP accounts in order to pivot to other sensitive data. Employ countermeasures such as UEBA, SIEM, and EDR built into Netsurion’s EventTracker platform to detect and block account takeover before damage occurs. Comprehensive SOC monitoring enables you to predict, prevent, detect, and respond (PPDR) to advanced threats and interrupt numerous steps in the cyber kill chain.