Are Your Users Heartbleeding?

Last updated at Wed, 30 Aug 2017 02:02:58 GMT

As we figure out the implications of the OpenSSL Heartbleed Vulnerability (CVE-2014-0160), we are beginning to realize that due to the vast reach of the vulnerability, one of the largest impacts will be on your networked users.  We suggest you read about ways to protect yourself against Heartbleed here.

User accounts over web and cloud services may have been compromised and there is no way to have full visibility of these events. While it is recommended for users to change passwords in those services that patched the vulnerability, many other services still have not patched and may put user credentials at risk. 

All organizations need to take precautions and assume a "zero trust" approach to users' credentials. We assume that attackers will leverage exploited user credentials to access various organizations, an attack that is especially hard to detect as the attacker appears to be a legitimate user entering the network.

UserInsight was specifically developed to detect attacks leveraging compromised users. It not only detects the attacker's entry to the network, but also identifies and alerts on the attacker's lateral movement within your environment.

Once user credentials are obtained, attacker will often access the network from a remote location, far away from your user's typical home or office. UserInsight detects this access, whether done through VPN, mobile device, or even if the attacker authenticates to corporate-provided cloud services from a different network.

UserInsight also identifies the attacker's attempts to mask network entry by using TOR or Proxy nodes.

Once inside the network, the attacker's lateral movement can also be detected. Typically, attackers look to elevate privileges, scan the network for critical assets, impersonate privileged users to gain access to critical assets, locate valuable data, and then exfiltrate it to the cloud. UserInsight was uniquely designed to detect many of these methods of lateral movement. It detects attempts to impersonate users, attackers scanning for critical assets, their efforts to elevate privileges, access to critical assets, and eventually, any attempts to exfiltrate stolen data to the cloud.