We at TruShield are often asked about how TruShield identifies an attack on a business. One of the key aspects of TruShield’s CSM, or Continued Security Monitoring solution, is the fact that it monitors identity and access management at a very granular level. What that means is that TruShield can integrate information from businesses’ active directory infrastructure into the monitoring platform. If you’re a CEO looking to understand the strategies TruShield uses to identify attacks, this is for you.
TruShield does this for a couple of reasons. To start, it’s very useful for anyone looking at security at a high level to look at more than just signature-based threats, but to also be looking for interesting or abnormal behaviors. That’s what TruShield is doing with its identity access management monitoring. It’s looking for potential indicators of things that haven’t happened, things like privilege escalations or administrative accounts being locked. One of the things businesses often see during a chain of attacks is an attacker gaining access to an environment. This is done through a drive-by download. They are going to immediately try to maintain access.
Maintaining access usually hinges upon a privilege escalation. This means that they are going to escalate the privileges of the account they’ve compromised from a low-level account to something along the lines of an administrator account. Perhaps they are going to add a new account to a protected security group. That’s a very dangerous thing when it happens. In those situations, the bad guys basically gain access to the keys to the kingdom. TruShield’s perspective is that if you are not monitoring where permissions, privileges, and policies are managed then you are really missing a sizable portion of the picture.
One of the things often seen when TruShield monitors an organization that’s under attack is a lot of failed logins for administrative accounts; several failed logins with an error code, stating that the wrong username has been entered. Usually, one or two bad usernames is not a big deal, maybe somebody has just fat-fingered their actual username. But, if you see many of those, what’s usually happening is a bad guy is trying to guess a valid username. What is often identified in a chain of attacks is a valid login followed by a bunch of failed logins for bad passwords. What that really means to us when we start to peel back the onion there is that somebody has guessed a correct username and is trying to compromise the password for that guest username.
If you’re not looking for the kind of activity and environment that TruShield is providing, you’re just going to be relying upon things like antivirus or IP reputations to give you information that you need. You’re going to miss a key component of it. For information on further managed security services and devices, click here.