Examine account breaches
In the previous units, you examined several methods that attackers use to collect a user’s sign-in credentials and other sensitive information. Another less commonly used method to obtain a user’s account credentials is by using a password cracking tool.
An attacker can access network resources by compromising a user's account, resulting in an account breach. When the account is an administrative account, the hacker can immediately begin scouring the network to gain access to critical data. If the breached account is a regular user, the hacker can use elevation of privilege techniques to obtain administrator privileges. The next unit examines elevation of privilege.
An account breach compromises a user account when unauthorized individuals or malicious actors gain unauthorized access to it. Account breaches can occur through various means, including:
- Password attacks. Account breaches can result from password attacks such as brute force attacks, where attackers attempt to guess the user's password by systematically trying different combinations. They can also exploit weak or easily guessable passwords, passwords that users reuse across multiple accounts, and stolen passwords from other sources.
- Phishing. Phishing attacks involve tricking users into revealing their sign-in credentials by posing as a legitimate entity through emails, websites, or messages. If users unknowingly provide their credentials to phishing attackers, they can compromise their accounts.
- Credential stuffing. In credential stuffing attacks, attackers use lists of usernames and passwords obtained from other data breaches to attempt sign-in into various online services. If a user reuses the same username and password combination across multiple accounts, a compromised account from one service can lead to the compromise of other accounts.
- Key loggers. A key logger, also known as a keystroke logger, is a type of malicious software or hardware device that attackers install on a user's computer or mobile device. Attackers typically distribute software-based key loggers through malware. The main purpose of a key logger is to secretly capture and record user keystrokes, which it then transmits to the attackers. The intention of a key logger is to capture sensitive information like sign-in credentials, credit card numbers, personal messages, and other typed data. By doing so, key loggers can provide attackers with unauthorized access to a user's account and sensitive personal information.
- Social engineering. Social engineering techniques involve manipulating individuals to divulge sensitive information. Attackers often impersonate trusted individuals, engage in elaborate scenarios, or exploit psychological vulnerabilities to convince users to provide their account credentials willingly.
Once attackers compromise an account, they can gain unauthorized access to the user's account resources, including emails, files, and personal information. Even worse, this information might allow attackers to send messages or perform actions on behalf of the user. These scenarios can lead to data breaches, privacy violations, financial loss, identity theft, or misuse of the compromised account for further attacks or spreading malicious activities.
Mitigating an account breach
To mitigate account breaches and enhance overall security, organizations can implement various measures. Here are some key strategies to consider:
Strong authentication. Implement strong authentication mechanisms such as multifactor authentication (MFA) or two-factor authentication (2FA) to add an extra layer of security. Doing so ensures that even if an attacker obtains the user's password, they would still need another authentication factor (for example, a code sent to a mobile device) to gain access.
Microsoft Entra ID Protection. Use Microsoft Entra ID Protection, a cloud-based service that helps detect and respond to identity-based risks and threats. It utilizes advanced analytics and machine learning algorithms to identify suspicious sign-in activities, risky user behaviors, and potential account compromises in near real-time. Microsoft Entra ID Protection provides risk-based conditional access policies and remediation actions to mitigate identified risks.
Important
Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.
Password policies. Enforce strong password policies that require users to create complex, unique passwords. Encourage the use of password managers and discourage password reuse across multiple accounts.
Tip
Historically, organizations have been encouraged to regularly prompt users to update their passwords and consider implementing password expiration policies. However, experience has shown that password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them. As such, Microsoft recommends enabling multifactor authentication, which is a more effective alternative to password expiration policies that require periodic password changes.
Security awareness training. Conduct regular security awareness training programs to educate employees about the risks of phishing, social engineering, and other common attack vectors. Teach them how to identify and report suspicious emails, websites, or requests for sensitive information.
Least privilege principle. Apply the principle of least privilege by granting users the minimum level of access necessary to perform their tasks. Regularly review and update user permissions based on their roles and responsibilities. Implement strong access controls to limit unauthorized access to sensitive data.
Account monitoring and Activity logs. Enable logging and monitoring of user account activities, including sign-ins, failed sign-in attempts, and unusual account behavior. Establish alerts and review logs for suspicious activities that might indicate an account breach. Implement security information and event management (SIEM) systems to centralize and analyze log data.
Regular patching and updates. Keep software, operating systems, and applications up to date with the latest security patches. Regularly update and maintain antivirus, anti-malware, and intrusion detection/prevention systems to ensure protection against known vulnerabilities.
Security assessments and testing. Conduct regular security assessments, vulnerability scanning, and security testing to identify weaknesses in the organization's systems and infrastructure. Address any identified vulnerabilities promptly and proactively.
Incident response plan. Organizations should develop an incident response plan that outlines the steps they plan to take should a suspected or confirmed account breach occur. Clearly define roles, responsibilities, and communication channels to ensure a swift and effective response to mitigate the effect of a breach.
Encryption and data protection. Implement encryption for sensitive data, both at rest and in transit. Use encryption protocols such as Transport Layer Security (TLS) for secure communication. Consider data loss prevention (DLP) solutions to prevent unauthorized access, leakage, or accidental sharing of sensitive information. To address these encryption and data protection needs, organizations should consider implementing Azure Information Protection. This solution allows organizations to classify, label, and protect their sensitive documents and emails. It helps enforce data protection policies by applying labels and encryption to documents, controlling access permissions, and preventing unauthorized disclosure of sensitive information. The solution enables them to define and manage their data protection requirements, including encryption, rights management, and data loss prevention (DLP) policies. It also helps ensure that sensitive information remains encrypted and only accessible to authorized individuals. By utilizing Azure Information Protection, organizations can add an extra layer of security to their data.
Continuous security monitoring. Implement continuous security monitoring and threat intelligence to stay informed about emerging threats and vulnerabilities. Regularly review and update security measures to adapt to evolving risks.
It's important for organizations to adopt a comprehensive approach to security. They should combine technical measures, user education, and proactive monitoring to mitigate the risk of account breaches and safeguard sensitive information.