Just Let Yourself In: How Attackers Are Granted “Authorized” Access to Your Network


These days, data breaches occur on a daily basis. As a result, data security is more important than ever. Privacy regulations like the EU’s General Data Privacy Regulation (GDPR) and assorted state-level (CCPA, etc.) and industry-specific (HIPAA, PCI-DSS, etc.) regulations in the US have taken a hard stand on the privacy of citizens’ personal data. If an organization loses control of an individual’s personal information, or even fails an assessment, the consequences can be significant.

Most organizations have a cybersecurity strategy, and most of those strategies are perimeter-focused. You do your best to build a wall between your organization and the outside and try to keep authorized users in and attackers out. The reason why these types of defenses are common is because generally they work – and a key reason that they work is they’re based on the assumption that employees have information that the attackers don’t (i.e. passwords, etc.). This asymmetry allows the system to be usable but secure. But what if that assumption isn’t accurate?

Passwords are the target

Hacking has become commercialized. Instead of “lone wolves” hacking into organizations for fun, there are many, many hacking groups in it for the money. In order to be profitable in any industry, efficiency is key, so these groups target the low-hanging fruit: your password.

One of the easiest ways that hackers can get into an organization is through spilled credentials. In 2017, a study by Shape Security found that 2.3 billion credentials were reported stolen via 51 different data breaches. That same report hasn’t come out yet for 2018, but the results are likely to be even worse.

These credentials are valuable to attackers for multiple reasons. For starters, they provide access to the user’s accounts on the breached service. Depending on what service that is, the impact could range from essentially nothing to access to the user’s finances. Or, in the case of the attacks against the British and Australian Parliaments, weak passwords may result in the loss of state secrets and other sensitive governmental data.

The fact that most people reuse passwords (or use weak ones) makes the potential impact of these breaches much greater. Credential stuffing attacks, where a hacker “stuffs” possible passwords into a website or other login mechanism and hopes for a hit, cost US businesses over $5 billion per year. With up to a 3% success rate, these attacks have a high probability of granting an attacker “authorized” access to your network.

Caught in the Act

With the high probability that attackers can obtain authentic credentials for your network, your security landscape changes dramatically. Instead of a wall between you and your attackers, the hacker has a key to the back door and can let themselves in. Depending on the details of your security setup and the attack, this can be bad or very, very bad.

One consideration when dealing with an attacker with authentic credentials is how they got them and how they determined that they were accurate. If they managed to find a password that an employee reused on a breached account, they may be able to get in on their first try, meaning that it will be very difficult to differentiate them from an authorized login.

On the other hand, a credential stuffing attack is fairly easy to detect. A large number of failed login attempts either to one account or a variety of accounts should immediately raise a red flag. Under these circumstances, any potentially breached accounts should be locked and all affected accounts should have a mandatory password reset.

Needle in a Haystack

In the situation where the hacker has gotten lucky, you’re essentially looking for a needle in a haystack. If your network defenses are perimeter-focused, with limited depth of defenses, it may be difficult or impossible to differentiate a legitimate login from an illegitimate one. You’ll have to go deeper.

This is where having a data security solution in place really pays off. These systems have varying features available, but the overall philosophy is that they monitor repositories of sensitive data stored by your organization for anything that looks unusual. This could be anything from a request by an unusual user to an unusual rate of database lookups. Anything that looks out of the ordinary raises an alert. A data security solution with the ability to monitor for risky or unusual user behavior can be the tool that catches a hacker that snuck in with authentic, stolen credentials. Odds are, once they have access, the hacker’s behavior is going to deviate from what is normal for that user. A data security solution is designed to catch this type of attack and won’t be fooled by a stolen password.

Staying Secure

Breached, stolen, and weak passwords can be a significant threat to an organization’s data security strategy. Many perimeter-focused defenses are designed to catch hackers trying to sneak in without credentials, not the ones that have valid ones.

A data security solution is vital to detecting and preventing these types of attacks from succeeding. By monitoring how users “normally” behave and comparing it to the actions that they currently take, these tools detect the attacker’s deviant behavior and shut them down before anything sensitive can be stolen from your network.


About Author


Leave A Reply