A new approach to detecting compromised credentials in real-time  

It is hard to distinguish an authorized user from an attacker using compromised credentials. DB Networks says it has a way.


This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

Last year the Federal Financial Institutions Examination Council (FFIEC) issued a statement to notify financial institutions about the growing trend of cyber attacks designed to steal online credentials. While this is certainly a big issue for banks and credit unions, concern about stolen credentials extends far beyond the financial services industry. Basically any organization with valuable data is at risk of an attack initiated with seemingly legitimate credentials.

According to the FFIEC statement:

Recent reports indicate an ongoing and increasing trend of attacks by cyber criminals to obtain large volumes of credentials. These attacks include theft of users’ credentials—such as passwords, usernames, e-mail addresses—and other forms of identification used by customers, employees, and third parties to authenticate themselves to systems as well as theft of system credentials, such as certificates.

Stolen customer credentials may give an attacker access to customers’ account information to commit fraud and identity theft. Stolen employee and third-party credentials may provide initial access to trusted internal systems that may be used to leverage system administrator level access to obtain confidential business and customer information, modify and disrupt information systems, and destroy or corrupt data.

This warning came just a month after Hold Security, LLC announced it had discovered almost 360 million stolen account credentials, including email addresses and passwords, and another 1.25 billion records solely containing email addresses.

Among the stolen account credentials uncovered by Hold Security were user names and passwords belonging to the J. P. Morgan Chase Corporate Challenge website. Upon investigation of its purloined credentials, J. P. Morgan Chase discovered its own data breach in which cyber attackers stole contact information, including names, addresses, phone numbers and email addresses, for 76 million households and 7 million small businesses.

Compromised credentials create an extreme risk of "insider" threats. I use the term insider loosely because an attacker coming from the outside with legitimate credentials looks like an authorized insider to many types of security systems. A perimeter defense system, for example, can't distinguish a real user from a malicious actor if they both use the same set of credentials to login. Likewise, an application such as an online banking system, can't tell if a legitimate set of credentials has been stolen and is now being abused to siphon money from a customer account.

Worse, some credentials allow an attacker to gain a foothold inside a network and then escalate the privileges to go after high-value assets. Target Corporation's breach in 2013 is the poster child for what can happen when attackers use legitimate credentials to infiltrate a network to steal data.

Recent research by the Ponemon Institute indicates it takes an average of 98 days for a financial services company to detect an intrusion on its network. That detection period for retail organizations is twice as long: 197 days, on average. That's a very long time to host an intruder with a malicious intent.

Such scenarios call for a new approach to detecting unauthorized or unexpected access via compromised or abused credentials. The time-to-detection must be much more immediate – in minutes or hours rather than weeks or months – in order to prevent or minimize losses from the unauthorized access.

DB Networks has added a new capability to its database security solutions to address this very issue. The company says that its DBN-6300 enterprise appliance and its OEM-focused Layer 7 Database Sensor both now have the ability to detect someone acting as an authorized insider through compromised or abused credentials. This is done at the database level, in real-time, which gives an organization the opportunity to stop the activity before real damage can be done.

Operating at the database tier, directly in front of the database servers, the DBN-6300 is in position to analyze database traffic. It can identify any undocumented databases, traffic to/from restricted segments, and see advanced database attacks such as SQL injection. When rogue SQL statements are present at the database tier, it means the perimeter defenses have been breached and the application has also been exploited. Now the solution can take measures to identify when legitimate credentials providing access to a database have been compromised by an outsider or are being abused by a true insider.

Typically when the database management system (DBMS) sees credentials it will view the access as legitimate. The DBMS doesn't know the difference between someone using an authorized credential and someone abusing a legitimate credential. DB Networks has created a new model, called a dataflow, that it claims can make the distinction. Here's how it works.

There are two major components to how a database is accessed over a network, illustrated in Figure 1. The first component is the table reference, which is the specific information that is being accessed in the database, and whether it is being accessed with a read or a write. The second component is the conduit, or the context of the access—specifically where it is coming from and where it is going to.

DB Networks

Figure 1: The DB Networks dataflow model

In the dataflow model, the table reference component has four attributes: server, database, schema and table. In addition, there is the mode of the SQL statement, which is either read or write. The context component also has four parts to it: the client IP address, the specific user (which could be a person or an application), the listener port (which routes requests to the correct DBMS), and a specific service of the DBMS.

In Figure 1, the dataflow model has the following assignments:

  • mode = read
  • server = HRSQLServer
  • database = Staff
  • schema = dbo
  • table = compensation
  • user = sa (system administrator)
  • DBMS service = HR_DB_Service
  • client IP =
  • DBMS IP =
  • listener port = 1433

DB Networks says it can analyze an application's typical dataflows in just a few days to derive a baseline of behavior. The vendor says dataflows in normal operations are extremely stable. This means the table references are accessed from a limited and rapidly-defined set of contexts. Once the dataflows have been learned and modeled, the tool goes into anomaly detection mode (i.e., behavioral analysis) to look for dataflows that violate the normal baseline. Violations are viewed as a potential insider threat.

An anomaly might point to compromised credentials where the application's or the database's credentials were stolen or abused by an insider, and now the dataflow is coming at the database from a very different client or application. It could be an advanced persistent threat situation where an attacker gets a foothold in one application and they moved laterally to gain wider access. Or it could be a potential policy breach where activity has crossed over to a segment that is supposed to be isolated, such as a PCI card data environment.

Regardless of the exact scenario, DB Networks' solution sends an alert in real-time with detailed information that enables a security analyst to do a deep dive into the event. They can see the offending dataflow, which includes the SQL statement itself, where it originated, and where it was destined. They can determine what created this situation and respond accordingly as it is happening, and that's quite an improvement over discovering one hundred days after the fact that a database breach has occurred.

Must read: Hidden Cause of Slow Internet and how to fix it
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies