It’s tough to come up with an effective counter-measure to external attacks when you can’t see your enemy. While there are plenty of stories in the news of how a certain company fell prey to a very specific attack, it’s hard to translate that into an actionable response. So, you walk through the “usual suspects” checklist of things to protect against: malware, phishing emails, ransomware, malware, keyloggers, etc. – all in an effort to give your organization some sense of “we have this under control”.
But, just as you are updating your tactics and are leveraging the latest security solution tech money can buy, so are the bad guys.
As an AV vendor updates their detection engines and puts them out to market, the bad guys are testing new variants of rootkits and malware against those engines to determine exactly how to enter your network undetected.
So, looking beyond all the protective measures you should be putting in place, the question becomes how do you detect when an attacker has made their way inside?
Every security solution today is reacting to behavior. They’re looking for actions based on historical data that indicates the potential for malicious activity. Attacks tend to follow a similar pattern, so it makes sense for vendors to educate themselves on the patterns and create a defense. But, as mentioned before, the bad guys know this and work to come up with new attack methods that avoid detection.
But even so, there’s one aspect of an external attack – particularly those where the goal isn’t to simply infect one machine, but to truly infiltrate and extend their reach within your network – that always rings true:
The attacker is going to need to logon.
In external attacks involving attempted or successful data breaches, the use of stolen credentials lies at the top the list of threat actions, nearly on par with the use of phishing, and command & control malware. In nearly every industry, credentials are found in a material percentage of breaches. Why? Because they are needed to access valuable data.
And for every set of compromised credentials, there will be at least one logon event when it’s used. Regardless of the kind of logon (local, remote, via SMB, via RPC, etc.), you can’t use credentials without logging on.
Keep Your Eye on the Logon
So, while you’re busy trying to figure out which security measure to focus on first, and what solutions you should implement to provide the best security stance possible, keep in mind that you have a foolproof way to gain visibility into the potential presence of an attack – the logon.
To read more about external attacks and how to detect and stop them, read our latest whitepaper “Stopping the External Attack Horizontal Kill Chain”.
 Verizon, Data Breach Investigations Report (2017)