It's tough to stop security breaches from compromised user logins. Rather than blaming users for being human, multi-factor authentication (MFA) and access management help protect against credential based attacks.
According to Mendiant research, 9 out of 10 cyberattacks involve Active Directory (AD). And compromised or stolen credentials are threat actors’ weapon of choice. That makes identifying compromised credentials key to preventing a network security breach. But for Active Directory administrators, identifying suspicious activity when the adversary has valid and authorized credentials is a daunting task.
Users are (usually) human! They are careless, flawed, and often exploited. And attackers love exploiting the naivety of your users because it’s so easy.
All it takes is one successful phishing email to persuade a user to hand over their login details. Once the hacker gains entry to your systems, you’ll likely not find out until it’s too late — after all, most anti-virus and perimeter systems aren’t programmed to pick up on access using legitimate login details. This gives snoopers all the time in the world to, well, snoop.
So, how are you supposed to spot illegitimate user access when it’s already been defined as legitimate?
Protect against the threat of compromised credentials
As long as Windows users are vulnerable to attacks, security breaches will be a threat. Organizations across all industries have ample opportunity to improve AD security, boosting their overall security posture.
But with Active Directory MFA and access management, you do have a foolproof way to make sure authenticated AD users are who they say they are. With these extra layers of security, you can also identify risky user behavior or a password breach and stop it before it costs you capital, customers and your company’s reputation.
Read on to learn how to better secure all Windows user logins.
Stop blaming your users for compromised credentials
Credential compromise is responsible for about half of all data breaches. Often, user error is to blame.
But it's easy to blame users, that's not going to fix the problem. The root of the issue usually lies with the organization's security strategy.
Across five AD security categories, organizations routinely score 71/100– barely a passing C grade.
And 9 months is the average time it takes organizations to detect an intruder in the network when they use authorized credentials.
This is a signal that the organization's security measures, and security solutions, don't address the crux of the issue.
How does credential compromise occur?
To better understand how to fix the problem, let's take another look at the problem of credentail compromise itself. End users often endanger the network in a variety of ways, including:
Hacked database including user credentials
Again: It's easy to blame your users
Users are human: flawed, careless, and often-exploited.
But doing so shows you don’t adequately understand the risk that inherently is (and always will be) there.
Security must be there to protect users from both careless and malicious behavior and to protect your network from outsiders trying to gain access by pretending to be employees.
5 warning signs of compromised credentials
The top five signs are top for a reason: they are extremely common! Make sure you have a solution for these classic warning signals, and you'll better identify if someone has breached your network.
Unusual resource usage: copying, deleting, or moving a large number of files en masse.
Implausible remote access: Login attempts from an unlikely session type, location, or device.
Password resets: Multiple failed login attempts or password resets.
Sudden change in working/office hours: Login attempts from outside normal business hours.
Impossible journeys: Simultaneous logins from locations too far apart to make any sense, or sequential logins with different credentials being used from an existing open session.
For a more in-depth look at common signs you've been breached, read this article on the top 5 signs of compromise.
Without a doubt, security administrators face a daunting task trying to identify suspicious access activity when the adversary has valid credentials. What’s the solution? MFA focuses on preventing the threat before damage is done: at the logon. With UserLock, you can also go beyond MFA to look at contextual access information around the logon and stop network access – even when credentials have been compromised.
5 steps to stop compromised login access
Here’s how to stop blaming users and start better protecting Active Directory user logons:
Implement two-factor authentication: Add an extra layer of protection to all Windows user accounts with two-factor authentication (2FA). Use 2FA with secure methods based on time-based one-time passwords (TOTP) and hash-based one-time passwords (HOTP), such as hardware tokens and keys, Push notifications, and authenticator applications.
Set contextual access restrictions: Set contextual access policies to automatically allow or deny a login connection request. You can set restrictions on location, IP address, machine, time of day, number of simultaneous sessions, or number of initial access points. At any time you can modify and apply all changes in real-time, effective immediately.
Monitor Windows user logon activity in real-time: Track which users connect from which workstation or device and when.
Set custom alerts to logon activity: Set custom alerts on specific logon events so you can immediately detect suspicious activity like a credential compromise and stop network access.
Protect against credential compromise with comprehensive MFA and access management
IS Decisions’ research several years ago did a deep dive into the access security priorities of 500 IT Security Managers in the U.S. and U.K. Over the past years, IT leaders’ priorities haven’t changed all that much in terms of security fundamentals.
Essentially, IT departments must strike the right balance between adding extra security layers and avoiding end user frustration or slowing down productivity.
Enforcing user security to prevent attacks using compromised credentials often can result in complex, costly and disruptive processes. Naturally, these are the very reasons why MFA solutions, unfortunately, often viewed as difficult to implement.
Thankfully, IT managers have a better way to avoid a breach due to compromised credentials: a combination of granular MFA and contextual access controls that can be easily personalized to each employee, striking the balance between user productivity and user security.