Cyber Criminals are Automating - Why Can't We?
More and more cyber criminals are using automation to help them save time on mundane tasks like brute-forcing user credentials. In fact, a long and boring, but potentially rewarding, task like that is what computers are built for. Criminals can take advantage of a computer’s ability to execute mind-numbing tasks and ultimately they can monetize the neglectfulness of people choosing weak passwords. All it takes is a little bit of code and a lot of bad intentions; contrary to primitive connotations in its name, a brute force attack is actually pretty clever.
The reason these attacks are successful is because someone much smarter forged the path. Someone figured out how to automate these cyber attacks. Someone found the vulnerabilities to exploit. Someone did all the smart work up front and it’s that smart part that stings because more often than not, it’s the automation process and the persistence that will beat an organization’s defenses.
If brute force attacks are being automated to try millions of passwords in seconds, but people only change their passwords once in a blue moon, what chance do they have? We need to combat this by also automating password rotation.
Administrative passwords are essentially the keys to the kingdom within any given organization. Even if one is compromised, it can then be exploited by clever hackers to gain access to other areas of the network. A recent Lieberman Software survey revealed that over three-quarters (77 percent) of IT professionals believe passwords are failing IT security.
The study looked at the attitudes of nearly 200 cyber security professionals, and it also found that 53% of those surveyed thought that modern hacking tools could easily break passwords within their organizations. Given the IT audience that was surveyed, these results really tap into the mindset of the IT security industry – and perhaps it is time for a rethink about the way in which passwords are handled within organizations.
Shockingly, the same survey found that 10 percent of respondents never updated their administrative passwords. Admittedly, it’s difficult for IT staff to keep track of all their admin passwords, but this gets even more complicated when you’re expected to know every place where the credentials are used – and what might break when they’re updated. However, because of the sensitive systems that these credentials protect, frequent privileged password changes are essential for good security.
So what if organizations could react with an automated defense? If they could take control of privileged account management, it would greatly reduce the attacker’s surface for compromise and eliminate lateral movement in the event a brute force attack is successful and they manage to get in the system.
This is not rocket science, and it’s not original. After one of the major data breaches of last year, many consultants parachuted in from the biggest names in the IT security business. They sat and stared at tons of screens, drank lots of caffeine, and after 36 hours concluded that all the privileged credentials should be changed.
Now imagine an automated response kicked in the moment a breach was detected - of course that would have been better. By simply rotating credentials at the point in time of an active attack as a response, it would cut off the attacker’s access to the privilege needed to succeed, without effecting legitimate users who were already going through a process to gain access on demand.
The key is that since the legitimate users wouldn’t have access to always on privilege in that scenario anyway, the only ones feeling the pain of the automated response are the bad guys.
Once the power to control rights and privileges is sorted out, the solution should then hook up to other security systems to make sure everything is working in a healthy, closed loop process. If analytics and logging solutions are looking at all the security event data to find patterns, then surely all the data about who has legitimate privilege is equally as important. That leads to simple correlations - like an action that takes place using a privileged identity that was not currently checked out to any authorized user is suspicious. If solutions are detecting malware and other incidents as they happen, it can automate a privileged response in near real-time with no operational impact. Of course, organizations have to get the technology in place to make it possible. But once that is all in place, it’s easy to push a button as an automated response, knowing you have the tools and the talent all lined up.
If attackers are successfully breaching organizations through using automated attacks such as brute forcing systems, organizations need to respond in kind -- and this will be the trick to making automation an ally instead of an enemy.
About the Author
Jonathan Sander is VP of Product Strategy for Lieberman Software where he is responsible for working with sales, marketing, product development and the channel to steer the direction of the company through corporate development and product management. He is frequently quoted by IT security media, as well as business and mainstream press.
Edited by Peter Bernstein