Each year, Verizon releases its Verizon Data Breach Investigations Report, or DBIR. The report details findings Verizon has collected throughout the year regarding incident response activity undertaken by the company. The report is highly anticipated and offers a wealth of information on attackers and their tactics, techniques and procedures (TTPs).
The 2016 report, Verizon’s ninth DBIR, detailed findings from over 64,000 incidents that occurred in 2015. One thing is clear among Verizon’s findings. Stolen credentials are at the core of a startling number of breaches, and serve as a pivot point for attackers to gain access to your organization or embed themselves deeper once they are in. In many cases, credentials were the target of the attacks themselves.
Stolen Credentials: A Core Tactic
Verizon makes a startling statement that 63% of attacks it studied leveraged stolen credentials at some point in the attack. In addition, attackers are increasingly upping their game, often combining the use of stolen credentials with other attack methodologies.
One example detailed by the report is the technique of issuing credentials via a pre-existing foothold within the network, as opposed to from the internet, to increase the chances of avoiding detection. This technique is affirmed in a fascinating recent data dump released to pastebin by a black hat, around the breach of “Hacking Team”, an Italy based security company. A key turning point in that breach involved the use of stolen credentials proxied through an exploited embedded device at the perimeter of the organization.
In some cases, credentials themselves are the target of the attackers, either directly or opportunistically, to be used in later attacks. The report details evidence that attackers will often harvest credentials using malware or other means, exfiltrate them, and use them to attack other organizations.
The Human Element
It’s important to remember that ultimately, there are humans involved on both sides of a breach. Humans are creatures of habit, with behaviors that can be studied, analyzed and in many cases, influenced. So what is behavior anyway? Read this great blog post by SecureAuth CTO Keith Graham.
The DBIR report makes the human element very clear, detailing that phishing is still very much a problem. “Human assets” within an organization are targeted, and a “vector" is selected for which to influence the behavior of the targeted human into doing something they normally wouldn’t do. The attack is then carried out. In the same vein, we can use the human element against attackers. We can analyze the behavior, logical and physical, of our user base and search for deviations. One way to study physical deviations in behavior is through the use of behavioral biometrics. Behavioral biometrics can detect variances in keyboard, mouse and touch dynamics as users interact with systems and devices.
Turning the Tide: Protect, Detect and Respond
The DBIR describes the use of two-factor authentication as a “bar worth raising” to hinder the rising tide of credential abuse. This is sound advice, but two-factor is only part of the journey. As attackers raise the bar, so must we, and that means a multi-layered, adaptive approach to authentication and identity security. We must look at all available attributes of an authentication, both logical and physical.
The report provides disconcerting evidence that the mean time to detection of breaches may also be inching back up, after a decline reported in the 2015 report. A conclusion raised is that the time to compromise, i.e. the time it takes from the launch of an attack campaign to the initial compromise, has become lightning fast. Attackers move to obtain credentials very quickly, and perimeter defenses often lose sight as attackers begin to move laterally within the organization.
Identity security is key to today's security lifecycle. It is equal in importance to network and endpoint security. It must be considered in all aspects of security: protection through the implementation of strong and adaptive authentication including behavioral biometrics, and detection/response through analysis and correlation of rich data provided by an adaptive authentication engine.