In today’s highly-connected world, the number of devices that are connected and interlinked to the business world is increasing. All digital activities create opportunities for cybercriminals to exploit. While organizations may be subject to internal security threats, the list of external threats is also expanding quickly. Lately, organizations have been facing threats, which compromise confidential information and inflict financial losses.
More importantly, whether it’s acting out of malice or negligence, insiders also pose significant cyber security risks to all organizations. Data from quarterly threat landscape report indicates that the rise of insider threats is showing no signs of slowing down. The dangers posed by insider threats are becoming more widely recognized, and not enough resources are being allocated to mitigate the risk they pose. Threat actors become more sophisticated in attacks, and continue to target employees. The cyber defenses of every organization need to keep up.
What is an Insider Threat?
Insider threat is a security risk posed by an internal source, with legitimate access to the organization’s sensitive information and digital assets. Anyone working for, or connected to a company, such as current and former employees, contractors, business associates and vendors, are a potential insider threat.
It is considered a malicious activity against an organization, if it comes from a user’s credentials with legitimate access to the organization, network, applications, or databases. Defending against insider threats is more than just picking the right security solutions. It’s also defined as creating a comprehensive security program that takes into account the people, processes, and technology, to effectively defend against these kinds of threats.
Types of Insider Threats
Malicious Insider
An employee or contractor, who knowingly looks to steal information or disrupt operations. This may be an opportunity to look for ways to steal information that can be sold, or disgruntled employees looking for ways to hurt an organization.
Negligent Insider
An employee who does not follow proper IT procedures. For instance, an employee that leaves the computer without logging out, or an admin who does not change the default password, constitute negligent insiders.
Compromised Insider
A common example is an employee whose computer has been infected with malware. This typically happens via phishing scams, or clicking on dubious links that self-initiate malware downloads. Compromised insider machines can be used as a home base by cybercriminals, from which they could scan files, share data, escalate privileges, infect other systems, and more.
Insider threats are difficult to detect, because the threat actor has legitimate access to the organization’s systems and data. That is because an employee needs access to resources like email, cloud, applications or network, to successfully perform the assigned job.
Depending on the role, some employees will also need access to sensitive information, such as financials, patents, and customer’s personal information. As insiders have legitimate credentials and access to the organization’s systems and data, many security mechanisms would classify the behavior as normal, and won’t trigger any alerts.
What is a Credential Insider Attack?
Compromised credential attacks are a kind of cyber attack in which malicious actors use a list of compromised credentials, to attempt logging into a wide range of online accounts. The goal of the attack, like so many others, is to steal personal and financial information from the compromised account. Because authentication is typically achieved via Application Programming Interfaces or APIs, this kind of attack is a significant threat.
Compromised credential attacks rely on the fact that many people use the same password across their multiple accounts. When an organization is hit with a large-scale credential-stuffing attack, there isn’t much it can do, beyond disabling accounts and requiring users to change their credentials. Irrespective of the fact that users implement two-factor authentication (2FA) and other security mechanisms, it is still possible for cybercriminals to bypass these features, as they grow more sophisticated by the day.
How does Compromised Credential Attack Work?
In many ways, compromised credential attacks are similar to brute force attacks, but they differ in a few ways. In a brute force attack, the attacker uses an application to automate the cracking of the password, by trying thousands of possible passwords per minute. Credential stuffers, on the other hand, already have a list of previously cracked or hashed passwords that were compromised through various means, such as data breaches, phishing, malware, or keyloggers.
In a compromised credential attack, the attackers won’t manually attempt to log into all the accounts on their list. Instead, they use an automation tool, referred to as brute force checkers. These small applications are programmed to attempt logging into accounts, typically from varying IP addresses.
These checkers can use leaked usernames and passwords to attempt logins on many different sites, apps, and services. Because many users have the same password across multiple accounts, attackers can easily break into their accounts with a shared password. These tools can also automatically steal the user’s personal, financial, and highly sensitive information.
Challenges Faced by Multi Factor Authentication (MFA)
While authentication acts as an additional barrier between cyber criminals and sensitive data, there has been an increase in exploitative attacks on MFA as well. Reports have shown that it is a compromised system for experienced cybercriminals.
Following are the common ways cybercriminals can by-pass MFA, and it also applies to Two Factor Authentication (2FA).
- Social Engineering is one such example, which involves tricking a victim into revealing privileged information that can be leveraged in a cyber attack. This attack method is most commonly used when the attacker already has compromised victim’s credentials, in some form.
- Consent Phishing happens when hackers compose a legitimate, open authorization login page, and request whatever level of access they need from a user. If these permissions are granted by the user, the hacker can successfully by-pass the need for any MFA verification, potentially enabling full account takeover.
- Brute Force is where hackers carry out such attacks by trying different password combinations, until they are finally able to get through.
- Man-in-the-Middle Attack occurs when a cyber criminal compromises a user’s login session through session hijacking. When a user logs into an online account, the session cookie contains authentication credentials and tracks the session activity. The “cookie” remains active, until the user ends the session by logging out.
Overcoming the Risks of Complex Cyber Attacks
There are multiple ways to defend against compromised credential attacks, and by-passing of MFA or 2FA controls. The following list explores how organizations can implement better security protocols for users.
Disallow Previously Compromised Passwords
It’s possible to integrate lists of compromised passwords within your authentication systems, such that if one of your users ever sets up a compromised password, it is rejected, and the user is prompted to choose another one.
Use an AI-based Intrusion Detection System (IDS)
By leveraging Machine Learning (ML), enterprises can “teach” IDS to identify normal behavior patterns over the network, and use them as a baseline for detecting abnormal events. That is typically referred to as behavioral analytics. With a bit of training, AI powered IDS will be able to detect any suspicious or malicious behavior, and save the organization from a compromised credential attack.
Use of Complex Passwords
The more complex a password, the less likely are users to fall victim to a credential-based attack. A strong and unique password will always be the first line of defense in a credential attack.
Open Email Attachments with Caution
Unless you are sure that you know who the sender is, and you’ve confirmed with the person that they did actually send you that email, it is advisable not to open it. Users should also check if the email contains an attachment, and know what the attachment is.
Using a Firewall
Built-in firewalls are available within all major operating systems (OS). It is vital that your firewalls are active, and properly configured, so any malicious traffic can be timely identified, and blocked.
The Importance of Integrating Effective Security Methods
The cyber security landscape is rapidly evolving, due to the adoption of innovative technologies and digital transformation. It is imperative to integrate solutions that can overcome cyber threats, such as credential theft and by-passing security protocols.
Integrating appropriate security mechanisms through specialized service providers is of paramount importance. Having the right solution provider can help organizations invest in the right security protocols, and maintain strong compliance.
Improving the Cybersecurity Posture with ATSG
Cybersecurity threats are extremely volatile, and adopting a capable service provider can help an organization handle and avoid the possibility of a cyber-attack. To better cope with cyber threats, such as credential theft and bypassing MFA, it has become essential to have reliable technology and IT solutions providers, like ATSG.
ATSG’s highly professional and certified experts can suggest an optimal solution, that can help enterprises push past cybersecurity challenges. Cyber threats continue to grow in complexity, especially as cybercriminals grow more sophisticated with every passing day.
Therefore, it has become vital to adopt solutions that can effectively mitigate present day cyber threats. It is also important to promote employee awareness, and improve their skills around security protocols. So, understanding and adopting intelligent security solutions offered by ATSG can elevate the cybersecurity posture of your enterprise.