In an interesting article published this month by ZDnet, the speed at which compromised accounts get tested by hackers was proven to be astonishingly quick - within 24 hours of release. Check out the full article for the details. This means organisations have to respond with increasing speed in order to protect themselves against the fallout of compromised credentials. Here we explore some detection tools and proactive measures that can be put in place to help organisations deal with incidents of compromised credentials. I will explore preventative measures in a separate post.
Detection
Impossible Travel - Security information and event management (SIEM) tools can be implemented using use cases which will analyse user logins to resources by IP address and alert if a user has logged in from two locations it is impossible to travel between within the time between logins.
Unusual behaviour - SIEM use cases can also be implemented to alert when a user logs into a digital asset which it would not normally log into. This requires some time to understand ‘usual’ activity, but can be effective with flagging initial alerts for follow up
Dark Web monitoring - As part of open source threat intelligence (OSINT) tools, any organisational credentials leaked on the dark web can be alerted for investigation by the security team. This is particularly useful for credentials for cloud based systems which have been hacked, as the activity relating to these may not be available to internal security teams.
Response
Planning - It’s important thing to act as speedily as possible. Having a basic run book of what actions to take in the event of compromised credentials incident means damage can be limited.
Mitigation - In order to restrict the incident to minimal impact, mitigation steps should be implemented including (but not limited to):
Asking the user to change their network password (even if the breach is external to the corporate network)
Advising the user to consider any sites the same password was used on, and change those also to avoid password stuffing attacks Note: It’s important not to victimise the user - by doing so, users are less likely to report security incidents and the breach may not have been their fault in the first place as hackers use increasingly crafty ways to obtain credentials
Analysis - If you have the appropriate tools in place (such as a SIEM), check if there has been any unusual behaviour on the users account. It is worthwhile adding an additional flag to the user account to have increased monitoring for a couple of months. Improve - Consider what additional controls can be put in place (if any) to either prevent or improve detection of such incidents in the future. A core part of your security incident response should be lessons learned and future security incident avoidance. Contact us if you would like to hear how we can help implement detection and response capabilities discussed above.