Compromised accounts and insider threats are the main ingredients behind most data breaches of today. Breached credentials are an easy and inconspicuous way of penetrating accounts and getting access to personal user data. According to Cybersecurity Insiders’ 2020 Insider Threat Report, 63% of organizations believe that privileged IT users cause the biggest threat to security. Many large corporations have a huge influx of privileged IT accounts that cannot be easily managed by the IT team alone. The rapid transition to cloud-based infrastructures and IoT devices is also a contributing factor for many data breaches.
The next section will investigate the various types of account compromises.
Types of Account Compromises
Following are the main types of account compromises:
An insider threat, as the name implies, is a type of security breach that has its roots inside the targeted company. The responsible threat actors could be current or former disgruntled employees, business partners, contractors, or a combination of each. Sometimes the people involved in the insider threats might unwillingly provide information or become a victim of data bribes that eventually result in a security breach. According to a 2019 report conducted by Verizon Data Breach Investigations, it was concluded that 34% of all data breaches involved internal actors. Inside every organization, there could be two types of potential threat actors – Turncloaks and Pawns. Turncloaks are the ones who maliciously steal data by abusing their access to gain some profit in return. The Pawns are the good employees who mistakenly share information due to careless behavior or are exploited into sharing it by the Turncloaks.
Credential stuffing is a process by which cybercriminals use accessed credentials from one data breach and use them to log into other unrelated services. Most of the time, the stolen credentials are automatically inserted in pairs to get access to accounts and services. It is a type of brute-force attack, but instead of trying to guess passwords, attackers use a list of valid credentials that they had stolen during earlier data breaches. These attacks are simple and easy to execute as most people are prone to not changing their passwords regularly and use the same passwords for multiple services. Another reason why these attacks have gained momentum is due to the advancements in bot technology where botnets and automated tools support the use of proxies to distribute deceiving requests across multiple IP addresses.
It is a manipulation tactic forcing people to reveal confidential information. It aims to exploit vulnerabilities in humans as most people are prone to giving out information when asked for it. Threat actors may pretend to be someone they are not, thus making people voluntarily give out sensitive information. It does not have to be just in the form of email, but all sorts of communication mediums can be used to execute social engineering tactics. This type of compromise is often the primary method of infiltration by hackers for carrying out complex cybercrimes.
This data breach is generated through emails and includes a malicious URL that entices users to click on it. Once the users click on the false URL, a website is launched which can either download malware, ask for credentials or infect the computer with ransomware which can only be reversed after paying hefty amounts of ransomware to decrypt the hard drive. Phishing attacks can be carried out in many ways, but the most common strategy is a convincing email with a clickable and perilous URL. What happens after a user clicks on the emails can be many different things – from remote code execution, ransomware requests to malware infections.
This attack comes in the form of an enticing voicemail that makes the user call a certain number and provide their personal information, which can then be used for stealing their identity or other malicious purposes.
BEC (Business Email Compromise)
BEC is conducted through email spoofing where an incoming email pretends to be a user’s CEO, boss, or a trusted colleague, asking to provide either some access, gift cards, or other personal information. Most uninformed users naturally fall into this trap and offer out the required info as a matter of goodwill.
Hash Stuffing or Golden Hash
A hash is like a password. In a Golden Hash attack, the attacker gets hold of a user’s hash either by sniffing the network traffic or by other means and then uses it to gain access to restricted resources.
Now that we are aware of the different types of account compromises and insider threats, let us discuss how they can be prevented.
Preventing Accounts from Getting Compromised
When it comes to account security, you cannot play whack-a-mole by blocking everything. Before you implement defensive mechanisms, you must implement proactive measures. Following are some ways to help you get started:
Reset Password and or Disable Account
Once a security breach is identified, the first preventative measure should be to cut off the network traffic, isolate the endpoint, and disable the compromised user account. A user account can be isolated by locking or changing the user password, gathering details from the affected user as well as conducting a forensic analysis on the endpoint. Once all the IOCs (Indicator of Compromises) are removed, then the user access and credentials can be restored.
Training users to spot malicious emails
Most insider threats are unknowingly initiated by human behavior. This can be eliminated easily by mandatory proactive security awareness training for all employees. The training can teach users how to spot malicious emails and distinguish false threats from legitimate ones. Users should also be trained to not click on anything in their emails unless fully verified.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) prevents security breaches by inserting an extra layer of security as multiple authorized devices are required for access to resources. It is recommended to implement MFA for any users utilizing remote access solutions or sensitive data like online banking.
User and Entity Behavior Analytics (UEBA)
This is a security process that considers the normal behavior patterns of users. For instance, if someone in marketing is constantly accessing resources on the finance side, then it is suspicious behavior and should be flagged. The main gist of this method lies in the fact that a hacker can guess a user’s credentials, but they cannot steal or predict their normal behavior pattern.
Implement Network Security Controls
As an important preventative measure, all malicious URLs and IP addresses should be added to firewall web filters and other security tools so they can be blocked for good. In the case of hashes, they can be blocked on an antivirus program.
Employ Robust Endpoint Security
Endpoint security refers to securing end-user devices including desktops, laptops, and mobile devices. Robust antivirus engines can detect malicious malware and prevent them from downloading and some can even provide the ability to view compromised devices and send alert notifications in response to security incidents.
Malicious attacks and account compromises are always on the rise. When it comes to corporate security, no amount of prevention or mitigation is enough. However, with due diligence, companies can protect their data pre-emptively and beat these malicious attacks right in their tracks.
If you are interested in protecting your business from account compromises and insider threats, then look no further. Exium specializes in detecting credential abuse through AI-powered monitoring and control. By leveraging machine learning, rapid alerts, and advanced analytics, the company protects organizations big and small from all types of credential abuse and insider threats.