Today’s blog will examine how a hacker does their reconnaissance for launching a Compromised Credentials Attack, and some of the methods an organization may employ to detect the activity before the attack occurs.
Breaching a Secure Organization – Reconnaissance
In last week’s blog, we laid out the anatomy of an attack in a flow chart. This type of attack relies on acquiring valid credentials that will enable access to the target organization. Usually, the credentials are acquired through Phishing and Malware exploits directly against the organization or through the organization’s members’ credentials having been compromised on another website or system.
See It Coming Before It Happens
There are many tools that mitigate attacks after your organization’s defenses have been penetrated. To see it coming before it happens, an organization must have the knowledge and tools to be aware of reconnaissance activities. To quote a cliché from the medical field – “An ounce of prevention is worth a pound of cure.” It truly applies to Information Security.
Recognizing Phishing Exploits
Phishing is perhaps the most commonly employed technique for sourcing valid credentials. Every organization is likely to be the target of a Phishing exploit. The solution monitors your network activity and recognizes if a single IP is sending multiple emails with the same subject line (Spamming). A complete set of tools for recognizing and reacting to Phishing exploits includes:
iSightPartners ThreatScape Intelligence collects detailed log data that may be analyzed for patterns and other suspicious activity
Splunk SEIM ingests the data and provides additional analysis capability
Corvil provides an additional level of detail that enables identifying the attacker IP, emails sent, and their recipients.
Figures 1 and 2 illustrate Phishing detection intelligence and analysis.
Sophisticated attackers may be able to make detection by these methods more difficult by doing their recon from multiple IP addresses and slightly changing the Phishing email subject line and content.
Recognizing Malware in Email Attachments
Another reconnaissance technique for acquiring valid credentials is through placing Malware in an email attachment. If the recipient opens the attachment, the Malware loads onto their computer and performs whatever task it is designed to do. Tools for recognizing and reacting to Malware attachments includes:
IP Interception: The iSightPartners, Splunk, and Corvil products identify emails originating from known malicious IP sources and pick out the emails with attachments. The attachments must then be manually examined to determine if they are malicious. Malware always contains some element that is an executable, so it is readily detectable.
Figure 3 illustrates malicious IP scanning and detection.
McAfee Enterprise is a hardware solution that “uses the McAfee ePolicy Orchestrator centralized management console to deploy policies, manage security alerts, and review automated reports.”
Sophos is a hardware and cloud-based solution that “intercepts emails containing suspicious content, attachments or URLs.” Sophos Sandstorm will “detect, block, and respond to evasive threats using powerful cloud-based, next-generation sandbox technology.”
The downside of this method is that attackers can scramble the malicious code which currently evades most of the antivirus tools.
Reputation Systems: Another useful technique is to implement Sender/IP reputation systems. f5 Intelligence Services provides the ability to detect and block bad actors before they hit your organization. The service detects “low reputation IP addresses” – IP addresses that have been reported to be the source of suspicious activity or known to be the source of malicious attacks and software. The service blocks malicious activity at the earliest point, eliminating the efforts spent processing bad traffic.
The downside of this solution is: if the user clicks on a malicious attachment in a personal email while working on the company computer, the organization may still become infected.
Recognizing Compromised Accounts from Other Breaches
The reason for the high success rate of this attack method is that users reuse passwords – even the ‘strong’ corporate passwords that enterprises require.
Vericlouds offers a PasswordWarning Tool that provides an alert when a corporate account holder reuses their corporate password on another site.
Go here to Request a Free Test of our PasswordWarning tool.
Figure 4 shows a screenshot of the VeriClouds PasswordWarning tool.
Real-time Detection Tools
VeriClouds’ ActiveDirectory or Kerberos server extensions provide real-time feedback if a log-in attempt is made using compromised account credentials. Information provided by the VeriClouds extension enables the authentication services to make a more informed decision on how to handle the user. For example, the authentication server can require a password reset or enforce other actions based on the organization’s policy.
Figure 5 illustrates real-time detection of a log-in attempt using a compromised password
Failed Logins: Another method for identifying an attack based on compromised accounts is detecting many failed login attempts originating from the same IP address. Splunk SEIM comes preloaded with a rule for detecting failed logins. Many failed log-ins originating from the same IP address is a sure sign of suspicious activity.
Figure 6 illustrates a Splunk report of excessive failed logins.
VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.