Security

Forget malware — stolen credentials are the real enterprise threat

Image Credit: Lighthunter/Shutterstock

Focusing on malware detection as a frontline cybersecurity strategy puts IT security teams in a never-ending game of cat and mouse. A report from Pandalabs earlier this year found that 30 million new malware threats were created in 2013 – an average of 82,000 per day. Keeping pace with this rate of malware creation requires continuous upgrades to the latest cybersecurity defense technologies, the very same ones that malware developers are constantly finding new ways around. Fighting this unwinnable battle not only strains precious cybersecurity resources, but it also leaves a company vulnerable to an even greater threat: stolen credentials.

Malware is often used only at the very beginning of an attack and then vanishes. In fact, 82 percent of malware disappears an hour after activation. Its purpose is not to compromise the machine, but to give an attacker access to stored credentials that will be used throughout the remaining duration of the attack. Because malware has proven to be an effective tool to steal credentials, attackers are adopting this tactic in droves.

The 2014 Verizon Data Breach Report released last month confirms as much. It found that 76 percent of all network intrusions in 2013 involved stolen credentials, more than double the previous year. Not all of those were a result of malware infection; social engineering tactics, such as reconnaissance, pretexting and email phishing are also on the rise and can be just as effective. (In one example, attackers attempting to breach the network of a big oil company infected an online menu of a Chinese restaurant frequented by employees, causing them to download malicious code.) Once a company is compromised, attackers can float freely within the IT environment undetected, as they do not trigger alerts of signature-based detection devices or software, sucking the air out of a company’s security intelligence and leaving the IT team with limited options for identifying the differences between valid and invalid user behavior.

What to look out for

There are a few tips that IT security teams can practice to reduce risk.

  • Be suspicious of everyone and everything. Even trusted vendors can be a backdoor into your network, as exemplified by the stolen credentials of an HVAC vendor that led to the Target data breach in December 2013. Unsure of where that USB stick came from? Don’t plug it into your computer. And don’t ever give your credentials out to anyone you don’t know – especially if a “new employee” in your IT department calls you up asking for it.
  • Watch out for diversions. Distributed denial-of-service (DDoS) attacks are a common diversionary tactic to distract security teams while they activate dormant malware. Or employees might get a call from attackers pretending to be a help desk, essentially leading them right into the network. When under the duress of a DDoS attack, always keep an eye out for other strange activity.
  • Track your users and baseline their activity. Set up a system that monitors how users access IT assets to determine what constitutes normal behavior. Once this baseline has been established, it will be easier to identify anomalies to measure the risk and deviation from the norm.

Data is the big jackpot, but it’s nearly impossible to keep up with the rate of new malware that emerges on a daily basis. So why do IT security teams continue to focus on the point of infection rather than what happens afterward? Basing your cybersecurity posture around malware detection is a losing strategy, as this cat can’t catch 82,000 mice per day. The most important thing you can do is stay alert and be prepared.

Nir Polak, CEO and cofounder of Exabeam, is a 13-year enterprise information security veteran with a broad range of executive experience, including setting company strategy, driving execution, building new products and bringing them to market, and providing exceptional client services. Prior to Exabeam, Nir held various senior management positions at Imperva, where he set the product strategy for the company, overseeing all product lines. Nir also held engineering positions at Adjungo Networks (acquired by Flash Networks) and Shopping.com (acquired by eBay).

3 comments
Michal Wendrowski
Michal Wendrowski

Looks like two-factor authentication is becoming the most important security measure. You can protect yourself with www.rublon.com, which offers free plugins for WordPress, Drupal, Magento, OpenCart and PrestaShop.