So you’ve taken responsibility for ensuring you’ve educated your users about the potential ways in which they can be hacked. You’ve educated them about drive-by-downloads, adware, phishing, the dangers of tor, and ransomware. Everyone knows the threats.
And then it happens. An account is compromised.
Sure, maybe it’s not as bad as 50 million accounts being compromised, but a compromise does pose a threat to your system as a whole. What to do?
How to Know if an Account is Compromised
A compromised account is one that is accessed by a person not authorized to use the account. Attackers often try to access accounts illegally to:
- Gain access to your network
- Gain access to your processing power or storage
- Recruit your network as part of a botnet, perhaps for a DDos attack
- Gain access to your corporate intellectual property
- Gather information to steal identities, commit fraud, or use your contact information to carry out phishing attacks.
Typically, compromised accounts leave clues. This might include suspicious activity such as:
- Missing or deleted emails
- Bogus emails being sent from the compromised account
- Unusual mail forwarding set up
- User information (such as display name or account information) is changed
- Unusual credential changes
In many cases, users themselves may self-report the compromise when they start getting feedback from their own network about the ‘bogus’ activity. Here, it’s good to have a liberal “if you see something, say something” policy. Better safe than sorry.
If a user doesn’t catch the compromise, it’s possible that you may see a rise in ‘abuse’ complaints from third parties about spam or suspicious behavior. Again, it’s good to invite the information early and respond quickly.
Still, it’s possible a user – or their contacts – may be unaware that their account is compromised. This might be especially true if the attacker is planning a patient, deliberate attack as in the case of the SamSam Ransomware attack, where the malicious code sat dormant for days or weeks at a time in order to elude security software.
While no security software is perfect, it can often play a critical role in identifying account compromise quickly.
For example, a good SIEM with robust system monitoring and log analysis can clue you (or your security operations team) into a potential problem early, before the compromise propagates throughout the network.
Accounts can be compromised in a number of ways, including:
Phishing is the practice of sending emails to get users to voluntarily respond, possibly by clicking a link or providing information to a fraudulent requester. Though requests from Nigerian princes are no longer the norm, phishing is still a widely used practice. It has evolved, with attackers frequently posing as reputable companies or close contacts in order to dupe unassuming users into providing information. Training users – especially front line customer service representatives – on detecting phishing emails can help to prevent these attacks.
Possibly as a result of phishing, possibly as a result of a hack on another site, or possibly through carelessness, a compromised password makes it easy for an attacker to infiltrate an account. Requiring strong passwords, enforcing frequent password changes, and using two-factor authentication can reduce instances of passwords being stolen.
If a user uses a machine that’s been infected or been exposed to a machine that’s been infected with malware (possibly through a drive-by-download attack), an account can become compromised. Using ad blockers, limiting download authority, and using virus protection software can help to prevent malware from being loaded on to user machines.
Brute Force Attacks
A brute force attack is one in which an attacker uses an automated script to “guess” a user’s password. Often, there are algorithms that help to “sniff out” weak passwords and, if a user’s password is ascertained, the account can be compromised. Minimize this risk by limiting login attempts over a given password, enforcing strong passwords, and logging all failed attempts. That way, if there is a trace of a brute force attack, your logs have information you can use to identify the threat and respond.
An unsecured network makes an easy target for an attacker to infiltrate. Ensure your network is behind a firewall, limit Remote Desktop Protocols (favor VPNs), and put standard network protection protocols in place to reduce the probability of attack.
(If you use Microsoft Office 365, they have a best practices security road map that you should implement over 90 days in order to lessen the probability of attack or network compromise. They also provide guidance on how to tell if an Office 365 email has been compromised.)
If a user suspects their account has been compromised, make sure they escalate their suspicion quickly, have them change their password, and review their system for unusual or suspicious activity. Check the Trash, Sent Mail, Filters, account settings, and drives to identify dubious settings or software.
Even with well-educated users doing the right things, networks can be compromised. In order to identify security events early, you should ensure that you’ve not only got good ‘preventative’ measures in place, but also a good SIEM monitoring your logs for unusual activity. At least then, your security operations team has a fighting chance of catching a compromise before it infects the entire network.