We are all still malware obsessed. Articles about detection (or lack thereof), more sophisticated variants, malware sandboxing, malware for sale and reverse engineering of malware all continue to make headlines and are discussed in the boardroom and at federal agencies.
Yet malware has become much less visible and there is one small fact that everyone already knows, but doesn’t readily discuss: the power of stolen credentials to a hacker. Once on a system, malware inherits the identity and access permissions of a user’s log-in credentials. The user may be performing his normal duties while the malware acts on his behalf performing criminal acts so simply, once the attacker has access to a good set of credentials, its game, set and match.
Whether stealing Government secrets, credit card information or healthcare data, once on a system, malware uses the identity of a user to complete its mission. The attacker can steer it onto other systems and even gain access to an active directory so that other zombie identities can be created to support the malware’s movements and activities.
In the case of the Target and the Office of Personnel Management (OPM) beaches, the weakest link was a contractor with valid compromised credentials that enabled malware activities to go undetected. Many security teams watch for the multiple-login brute force attacks, but still pay little attention to successful logins that may be out of character for a credential owner.
It’s also a fact that those successful login logs may not be readily available to be monitored the security team. Old mindsets may have these logs stored somewhere in IT where it takes the equivalent of a court order to get them.
Some of our customers have observed that the current “detect and find the malware” approach also leads to many reinfections. Not identifying all the accounts that have been taken over and/or not identifying all the systems that those credentials touched often means the security team thinks they’ve fixed the problem, only to find themselves in a nightmare game of whack-a-mole.
This approach also is cemented into the sequential four-step security process: detection, analysis, containment and restoration. Malware and the person or entity that the malware assumes has become invisible to many traditional detection systems, so the rest of the process never kicks off.
The right user and entity behavior analytics (UEBA) solution works to address these problems. It shifts the focus from malware to the credential or identity that enables malware and provides visibility into the middle (land and expand activities) of the attack chain.
How this is done varies between UEBA solutions: most consume specific data types from log management solutions to learn normal user behaviors and call out those that are anomalous. A subset takes the next step of attribution of security alerts to the credential involved, and a still smaller group takes the next step of providing a visualization of the attackers path though the IT environment on a timeline.
The introduction of UEBA also creates a subtle change to the security process, allowing the detection and analysis steps to be combined and both accelerated. These benefits are worth the cultural and infrastructure changes around making all data (that is considered normal IT infrastructure data and security data) available for analysis to any team that needs it.
With an understanding of what is the normal credential enabled access and access characteristics of a user, and seeing the level of activity divergence between a normal user and that of an attacker, must become the new definition of defense in depth.
Getting to containment means looking for a UEBA solution that can also automate the analysis portion of the process. The objective is to put detection and analysis creation for response into the “golden hour” of the attack, to quickly move to the containment and restoration phases of the security process.
Once UEBA solutions have enough market penetration, we stand a chance of taking away some of the asymmetrical advantages the attack currently has.