How to protect when credentials are stolen?
Author: Keshav Kamble
Every CIO, CISO or CxO’s worst nightmare is the theft of their or their staff’s credentials and subsequent attacks and abuse using those credentials. Unfortunately, the problem is complex and two fold. First, the victim does not know when the theft occurred and second the theft comes into light only after performing forensics analysis of the attack which used those credentials.
Today, lets discuss one of the most wide spread IT security problems of attacks with stolen credentials of database administrators. Credentials include information such as login names and passwords. Enterprises and organizations across the world which includes financial, health care, governments, military and infrastructure have endured huge losses of business critical data due to theft of credentials of IT administrators. Without delving into specific example of the victims, let’s look into some of the common methods of credential thefts.
- Spear fishing attacks on individuals / social engineering scams.
- Massive penetration into Single Sign On (SSO) or Authentication Services.
- DNS alterations and redirection.
- Theft of certificates database.
- Web browser vulnerabilities, proxy settings etc.
There are many other methods of stealing identities like web browser vulnerabilities attacks, zero day vulnerabilities, keystroke logger, brute force, shoulder surfing, unencrypted networks, etc.
As an application and database administrator protecting your credentials are immensely important because they are the keys to your business critical data. The attackers posing as authenticated users gain unrestricted access to your compute environment to steal data, DDoS or create other damages.
What are the solutions?
- Multi-factor authentication (MFA) to all critical applications and databases.
Multi-factor or two stage authentication for user logins has been a widely adopted method where along with user login name and password a second form of identity is used to authenticate the user. The second form of identify can be a personal question, biometrics, second instantly generated passcode through SMS, etc. MFA can provide better authentication and user access controls as long as it is diligently implemented and followed with complete understanding of application, storage and access control eco-system end to end. Despite MFA or 2FA, attackers were able to bypass the authentication since MFA was not implemented for every vulnerable application in the eco-system. If MFA is breakable is not a question. Can attackers breach inside the East-West interactions of the application and databases?
- Network perimeter enforcement to scan for authentication patterns going outside.
2FA/MFA along with this approach can improve restricting authentication process within your network provided the authentication servers are not cloud based or outside the data center. By adding capabilities in the security appliances patterns of authentication can be identified. This approach identifies phishing attacks only but does not prevent attackers from entering using credentials stolen by other means.
- Data exfiltration detection and mitigation.
I would suggest building this method into the default security architecture to improve the security posture. Much debated approach of behavioral analysis to identify atypical behavior has not given enough confidence in preventing exfiltration. The obvious reasons are application and user dynamics. But again, exfiltration may happen with or without loss of credentials.
If everything else has failed, time to try pico-segmentation approach for deterministic access control and separation. Consider the scenario where credentials are lost and the victim does not know about it, the consequent breach is just a matter of “ when?”. How do you protect your business applications in such scenarios? Business applications and databases can be on-prem, on cloud or multi-cloud. The threat surfaces are huge to comprehensively protect. The new method of deterministic security and segmentation has been demonstrated for Mongodb, Oracle and other applications in Data Center and cloud environments. Not only the pico-segmentation protected the databases from stolen credentials but also protected them when there was no password set, thereby protecting business critical applications and data from attackers.
For outbound monitoring and preventing data loss, pico-segmentation approach would be of great help. This approach prevents access using stolen credentials and prevents exfiltration independently. In my experience, application and security architects always perform their best if provided with time and technology. Business agility and Time to Market (TTM) often force them to cut corners on security. However, pico-segmentation using deterministic capabilities fixes the gaping hole due to credential theft, without addition of complex appliances in the security architecture. It also strengthens your Security Operations with end to end application dynamics and threat dynamics tracking. It is a matter of new thinking, the truth is out there!
Let your curiosity drag you to Mongodb World’17 in Chicago June 20th to 21st, 2017 Startup booth. You can witness the attacks on Mongodb database application on cloud with stolen credentials and protection provided by pico-segmentation technology.