How to catch the attacker with valid user credentials

LinkedIn image: Mark Seward, VP Marketing of Exabeam.

Mark Seward, VP of marketing at Exabeam.

It’s time to admit that we’re losing the cyberwar.

Hacker groups are highly organized and mobilized, and they are increasingly using sophisticated attack techniques and tools to defeat longstanding cybersecurity defenses. Data breaches at major enterprises have become a common occurrence, and well-funded nation states are taking a major interest in cyber espionage activities.

In response, the federal government launched a $6 billion continuous diagnostics and mitigation (CDM) initiative two years ago, led by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB), to provide federal departments and agencies with goals of strengthening cybersecurity defenses to combat today’s cyberattacks through continuous monitoring of agency risk posture. Broken into four implementation phases and 15 capabilities, this cross-agency cybersecurity initiative is the largest the federal government has undertaken in the past decade.

To mitigate the threats of today’s hackers, agency IT security teams need to continuously focus on where the attack surface exists today -- not only at the network perimeter, but within the network itself.  In 2012, Mandiant’s M-Trends report showed that attackers used valid employee credentials in 100 percent of targeted attacks. This tactic allows hackers to impersonate legitimate users throughout the IT environment.

In CDM's implementation phase two, which is called “managing accounts for people and services,” there is a capability most agencies organizations don’t fully grasp: security related behavior. (See Figure 1)

Figure 1.
Supplementary sidebar image for

Click the image above to view its full size in another tab.

In describing this capability, DHS provides examples that link the security training of employees to their use of credentialed access. However, employee training alone isn’t effective for preventing social engineering attacks, as it takes only one employee opening the wrong attachment to compromise a network and cause a data breach. IT security teams must be able to tell the difference between the way normal users use their credentials and the way an attacker would use those same credentials to achieve their objectives. It is through this sort of user behavior intelligence that an entire attack chain can be exposed.

One of the biggest challenges in today’s cybersecurity climate is security noise pollution, and the difficulty of knowing what’s anomalous in an ocean of normal user activity data. Security information and event management (SIEM) deployments were supposed to give IT security teams the insight they needed to address imminent threats. However, the thousands of unprioritized SIEM alerts generated per day drown out valid indicators. Also, it’s unlikely that an attacker with valid user credentials would ever generate an alert from any part of the traditional security infrastructure.

User behavior intelligence solutions, a relatively new solution category, autonomously and continuously ask questions about the characteristics of access and follow the use of credentials through any kind of account by switching across a session of activities from log-on to log-off -- all while comparing these activities to those of their peer group. In this manner, machine-learning technologies separate normal user behaviors from those of an attack. Credentialed activities are given an additive risk score based on each characteristic and fact gathered by the system during the session to quantify risk and seriousness of the threat. It’s the equivalent of having on the team a data scientist who can remember and track hundreds of thousands of users in real time, all while using current SIEM and log management repositories. Not only that, user behavior intelligence can also highlight the gaps in employee security awareness training that need to be rectified.

The recent spate of large data breaches indicates that strengthening perimeter security is only one part of an overall cybersecurity strategy, as most attackers have found that human employees are the easiest weaknesses to exploit. Employee training, while certainly important, does not negate the proclivity of errors in human judgment. To win the cyberwar, federal agencies need to realize what attackers value most – valid credentials – and use it against them.

About the Author

Mark Seward is vice president of marketing at Exabeam.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.