Download neutralizing credential theft and abuse

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
Document related concepts

Information security wikipedia , lookup

Trusted Computing wikipedia , lookup

Computer security wikipedia , lookup

Authentication wikipedia , lookup

3-D Secure wikipedia , lookup

Transcript 
NEUTRALIZING
CREDENTIAL THEFT
AND ABUSE
How do you stop the bad guy that looks like a good guy?
Passwords are one of the weakest links in security; they continue
to be exploited and have resulted in some of the most damaging
breaches to this day. This is no coincidence, for it is trivial for an
attacker to obtain a valid set of credentials. In a targeted attack,
the theft of credentials is especially valuable because the attacker pursues the victim’s access to applications and networks, and
stolen passwords provide a direct path towards those goals.
The theft of credentials is just the first stage of a longer process. Once basic access inside the organization is established
(either through a breached account using stolen credentials or
a breached endpoint brought into the network), the attacker
uses lateral movement to set up a broader footprint inside the
organization by compromising other systems and stealing more
credentials along the way. The process of lateral movement is
difficult for many organizations to stop because adversaries
with stolen credentials appear to be valid users who move freely
within the network without being closely challenged.
Credential theft is an enormous problem, and the risk remains
high despite decades of concern about the weakness of password-based authentication. Yet, the path to a solution remains
elusive for many organizations.
Why aren’t best practices for passwords working?
For years, organizations have primarily relied on filtering technologies to stop phishing emails from reaching users. These capabilities are valuable when dealing with commoditized phishing,
which is sent to a large population of users. The site is seen by
many people (including security researchers) making it easy to
categorize it as malicious before other victims encounter it.
Palo Alto Networks | Neutralizing Credential Theft and Abuse | Brief
These methods are not effective when dealing with targeted attacks, such as those used for credential phishing. By using cloaking
techniques, the site can avoid being recognized as a phishing site.
If the site is not categorized as bad, traditional security products,
such as mail filtering solutions, do not stop the attack before it
reaches the user, permitting users to interact with it as if it was a
trusted site. This is a fatal issue because both new phishing sites
and benign content are treated in the same manner.
Multi-factor authentication is a useful tool in dealing with the
threat of stolen passwords, but many organizations still use it
only in a handful of locations. There are typically only a handful
of applications that can be modified to support a third-party authentication service. There are operational burdens and political
issues that manifest when the app owner and the security team
do not see eye to eye. As a result, Multi-factor authentication
tends to be deployed in a limited manner within the organization,
despite the desire to do so pervasively.
The net effect is that organizations remain reliant on passwords
for security and vulnerable to the associated security issues.
With the sophistication of attacks on the rise, there’s little wonder why the problem remains at large. New ideas are necessary
in order to break past the limitations of traditional security
measures.
Preventing Credential Theft with the Palo Alto Networks
Platform
The Palo Alto Networks® Next-Generation Security Platform takes
a revolutionary new approach toward the problem of credential
theft, using a set of integrated protections to stop the execution of
an attack at each phase.
1
First, the platform continuously builds out new intelligence
against phishing websites with the Palo Alto Networks Threat
Intelligence Cloud. Through automated threat intelligence, the
protections in PAN-DB URL Filtering block the user’s attempts to
reach a phishing site.
In addition, the preventive capabilities of the platform identify
when users attempt to submit their credentials to a website, and
enforces policies according to whether such actions are appropriate. For instance, there are only a small number of websites that
actually need corporate credentials, and those applications are well
known to the security team. By defining policies that allow users to
submit their credentials to these specific sites, and no others, the
platform stops the user from mistakenly sending credentials to sites
that do not need them and should not have them. It acts as a safety
net, preventing the user from inadvertently submitting credential
submission to new, unknown phishing sites.
If an adversary is already in possession of stolen credentials or
already has a presence within the network, the Palo Alto Networks
Next-Generation Firewall neutralizes the adversary’s ability to use
those credentials to move laterally in an attempt to access critical
systems. The firewall sees all application traffic and serves as the
enforcement point to control granular levels of access and enforce
multi-factor authentication policy as necessary. The network con-
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:+1.866.320.4788
Support:+1.866.898.9087
www.paloaltonetworks.com
nection to sensitive applications is only available to the authorized
user who successfully completes multi-factor authentication; all
other attempts to reach the application are not permitted. The
firewall centralizes policy and enforces controls in the network,
thus reducing administrative effort and cutting exposure to the risk
of attackers using stolen credentials for lateral movement.
These measures work hand in hand with identity frameworks from
technology partners of Palo Alto Networks including Ping Identity®,
Okta, RSA® and Duo Security. The integrations enable organizations to centralize identity functions (management, multi-factor
authentication, and single sign-on) through these frameworks,
while enabling the platform to drive authentication policy and serve
as an enforcement point.
Conclusion
Take action against your exposure to risks by implementing the
protections of the Next-Generation Security Platform to address
credential phishing and abuse. These measures, which are only
possible through the platform, establish important preventive
capabilities to reduce risk and bolster the protections that are in
place within your organization to stop cyberattacks.
© 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
of Palo Alto Networks. A list of our trademarks can be found at http://www.
paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies. neutralizing-credential-theft-and-abuse-sb-020617
Related documents
About Target Discovery, Inc
About Target Discovery, Inc
ALTO PRODUCTS CORP NEW PRODUCT ANNOUNCEMENT
ALTO PRODUCTS CORP NEW PRODUCT ANNOUNCEMENT
201940 GM/BMW GA6L45R/E Filter
201940 GM/BMW GA6L45R/E Filter
203940 Toyota/Lexus A960E Filter
203940 Toyota/Lexus A960E Filter
Mercruiser Oil Pan / Alto # 023358
Mercruiser Oil Pan / Alto # 023358
039670 MAZDA RC4AEL, ISUZU JR405E Molded Piston Kit
039670 MAZDA RC4AEL, ISUZU JR405E Molded Piston Kit
Evaluating Web Resources
Evaluating Web Resources
Prevent Online Fraud and Identity Theft
Prevent Online Fraud and Identity Theft
“Stronger” Web Authentication: A Security Review
“Stronger” Web Authentication: A Security Review
Database Credentials Policy
Database Credentials Policy
Mobile Payments - Canadian IT Law Association
Mobile Payments - Canadian IT Law Association
The Pragmatics of the Palo Alto Group
The Pragmatics of the Palo Alto Group