Question: What is the most common cause for data breaches?
Answer: Weak and stolen credentials.
About 76% of network intrusions involved weak credentials, according to Verizon’s data breach report. Authentication-based attacks, which includes guessing passwords cracking, using specific tools or trying out passwords from other sites on the target system, factored into about four of every five breaches.
Whether the credentials allow lateral movement, malware execution, remote access, privilege escalation or data exfiltration, they are essential.
Fortunately, windows/Linux event logs, VPN authentication events, service applications, Active Directory, HR and other applications keep traces of data on when, where and how user credentials are used.
All it takes is putting the pieces together to build a user behavior story line. Then, compare it with ‘normal’ user behaviors for individuals and peer groups.
Since attackers look for valid credentials for user impersonation, user behavior analysis can help reveal an ongoing attack in real time.
Credentials used across all phases of the attack chain.
User behavior analysis can automatically create an attack chain timeline .
By focusing the security team on what attackers want and use – credentials, extracting user data from logs, data repositories and SIEM events, security alerts with user attribution can identify high risk behavior and inside threats in real time.
Author: Nir Yosha
Solutions Architect at Gurucul