This week's webcast featured Matt Hathaway, Senior Manager of Platform Products at Rapid7, and Jeff Myers, Lead Software Engineer for UserInsight at Rapid7, as they spoke on, “Incident Response: Why You Need to Detect More Than Pass the Hash”. This technical webinar emphasized how compromised credentials are a key predatory weapon in the attacker's arsenal, and featured an in-depth discussion of indicators of compromise (IoCs) for Pass-the-Hash (PtH) attacks, along with information on how to automate detection techniques. Read on for some of the top takeaways from this session:
1. Can't Stop Stolen Credentials – Attackers and Penetration Testers haven't created a new model for stolen credentials - people across many fields and markets use an eerily similar Discover, Reach, and Expand model to collect data. For attackers, this model involves discovering a set of credentials to reach the network, and expanding/infiltrating the network from there. This method is pervasive - and not going anywhere anytime soon as it still is very effective for attackers. Credentials are weak, and the attacker only needs to access one set of them to penetrate a network. Security professionals must do as much as possible to prevent this kind of attack, while still ensuring they can swiftly detect an attacker if a hole is discovered.
2. Need to Know: Your Network's "Normal" – It's impossible to keep up with alerts of every authentication or potentially malicious action on your network. There will be way too much noise from alerts and false positives if you don't have an understanding of what constitutes normal activity within your organization. You should be able to identify anomalous activity once you've examined data from your company's event logs and centralized servers. Rapid7 UserInsight is designed to discover suspicious activity and expose it to your security team. You can tune your alerting to abnormal scenarios, allowing security teams to easily determine whether an action was intentional and malicious, or misinterpreted and accidental, by looking at the context around any flagged activities. Investigation time for each alert is significantly shortened so that security teams can move on to the next possible compromise as quickly as possible.
To hear the in-depth discussion of both attacker and detection techniques associated with compromised credentials, view the on-demand webcast now.
See how Rapid7 products and services help you detect attacks leveraging compromised credentials.