Last year the Verizon Data Breach Investigation Report found that “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” This shouldn’t come as a surprise. Companies have been investing in perimeter defenses for years. The best way for hackers to circumvent these network controls is to use legitimate credentials to authenticate themselves. Protecting against these attacks is a challenge, but there are several things your organization can do to reduce your risk.
NIST recently updated its guidelines for “Authentication and Lifecycle Management” (NIST SP 800-63B). Among the recommendations are:
- Against online attacks, password length and rate-limiting are critical. Passwords chosen by the user should be 8 characters minimum. The rate of login attempts allowed should be limited to prevent brute-force guessing.
- Composition rules can be ineffective. Users often add a number or symbol to an easily-guessed password like “password”. Results like “Password1” or “password1!” are still easy to guess.
- Instead, implement a blacklist of passwords (like the previous examples) that unacceptable.
While these controls can help prevent dictionary attacks and other brute-force methods, it won’t stop hackers from stealing credentials directly from your users. As NIST points out, “Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.” You can add man-in-the-middle attacks to that list as well.
Continuous Security Monitoring is a must-have security control for detecting and responding to password misuse. Two of the most common attacks to monitor:
Brute-force attack – numerous login attempts from one or more sources to a single account. This attack targets default or common user-chosen passwords. The attacker might time the attempts to avoid tripping lockout policies, so monitoring for this activity is important.
Credential abuse attack – single attempts to many different accounts. This attack spreads out the attempts to different targets to avoid the notice of security monitors looking for numerous repeat attempts. Detecting this attack requires a focus on unusual login attempts from different user names, which may or may not exist on the system.
One of the best places to start is your domain controller logs. Windows Event Logs can be collected from your DC server using Windows Management Instrumentation (WMI), Windows Event Collector (WEC) or via an agent that transmits syslog to a central server.
Using a SIEM or Log Management solution, you should create alerts for attack methods like the two mentioned above. You should also review summary reports of the source and destination for login attempts to your network on a regular basis. Security analysts at Cygilant often uncover suspicious activity for our customers using this type of proactive security monitoring.
Stolen credentials and weak passwords are a favorite tool of hackers, but there are ways to defend your organization. By implementing the right security policies and a strong security monitoring program, you can greatly reduce your risk of a hacking-related breach.
Learn more about how SOCVue Security Monitoring combines people, process, and technology to deliver 24x7 security monitoring in this short video: