Reducing Detection from Months to Minutes: Detecting Credentials in the Clear

Thursday, April 20, 2017

Welcome back to our blog series on reducing detection time from months to minutes. In our first and second posts, we showed how you can use metadata to quickly resolve phishing attacks and investigate threats retroactively. While those two scenarios are pretty common, here’s one that may be new to you: detecting credentials in the clear.

First, let’s take look at a typical day in a typical office. Employees (including top executives) are accessing external applications without HTTPS for authentication. Somewhere, the mail administrator is using an ftp application that doesn’t encrypt credentials.

Normal activities. What could possibly go wrong?

There is a high probability that their credentials are being passed in the clear. It doesn’t even matter if it’s the strongest possible password. By simply listening to the network traffic, it’s easy for attackers to grab the credentials.

Unlike the two scenarios in our previous posts – where you know you are on the hunt for an attacker – user credential theft can happen right before your eyes. You won’t even know it’s happening.

Why should attackers bother with complex and expensive zero day exploits or sophisticated malware when a username and password can grant access to almost any application? Attackers can grab passwords passed in the clear and get a toehold on your network. Once inside, they can move laterally. It’s a huge problem for network defenders.

To make matters worse, employees willingly engage in online activity that is tantamount to shouting out their passwords at Black Hat or posting their credentials in a Dark Web user forum?

Fortunately, we have an answer: Pre-empt the would-be attacker by detecting credentials in the clear as they cross the wire.

Impossible? It’s not only possible. It’s easy. 

Let’s look at the Wall of Sheep hacking event at DEFCON (full disclaimer, we’ve sponsored and participated in this event for several years). Participants are given network traffic data from the conference’s free Wi-Fi network to look for user credentials passed in the clear. These credentials, when vetted, are partially obfuscated and posted to a giant screen (dubbed “the Wall”) to expose users’ data. The goal of the exercise isn’t to embarrass. It’s aimed at drawing attention to the fact that this could happen to anyone, on any network.

Year after year, we’ve seen common protocols that transfer credentials in the clear -- like POP3, IMAP, FTP, Telnet and even SMTP -- continue to be used in volume – even in enterprise environments. We’re also seeing applications using http are inadvertently sharing credentials. This is especially true for IoT devices, which often lack encryption. That fitness tracker you’re using to count your steps? That webcam on your monitor? All could be passing credentials in the clear.

Because Fidelis Network, our next generation network intrusion prevention system, is fine-tuned to detect credentials in the clear, it’s a simple matter to detect when a username is observed in a network session and find out whether a password was attached to it.

A simple search and filter of your network’s metadata shows the session, the protocol, the observed username, and the fact that there was a password. Here we see that the system identified a non-standard protocol.

With one click, you can further explore the unknown protocol session and extract usernames and passwords. Depending on the details, a security analyst may need to elevate the event to a real security incident – or simply educate the user. 

Historical access to metadata makes finding and resolving threats that go beyond typical malware -- like credentials in the clear -- easier to deal with. Unfortunately, this is where classic intrusion prevention systems typically fall short. Traditional IPSs are focused on real-time detection and prevention. They have no non-selective memory and no ability to go back in time. That’s a problem when it comes to stopping modern intrusions.

Today’s threats require you to extract, store, and analyze rich protocol, application and content level metadata from every session that traverses the network. And with that visibility comes peace of mind. Not only do you know what is happening on your network, but you can do something about it.

Did you know Fidelis automates the collection, analysis and storage of your network data so it’s ready for you to investigate immediately? Fidelis Network captures rich metadata about every session on your network – making it possible to investigate suspected incidents in seconds – and gives you answers to questions that were once impossible to know.

Ready to do impossible things with metadata? Read our white paper, Talk Metadata To Me: How to Decode Your Network’s Deepest and Darkest Secrets and contact Fidelis today.

Check out the first two installments of our “Three Ways to Reduce Detection Time from Months to Minutes” series:

Part 1: Phind the Phish

Part 2: Investigating Threats Retroactively

--- Fidelis Cybersecurity VP of Threat Research Hardik Modi