IT security: spotting the attacker at the logon

François Amigorena outlines the measures required to identify and deal with inappropriate access

IT security continues to challenge all types of education institutions. According to EDUCAUSE, a nonprofit association of IT leaders in higher education, information security is the number one issue in 2018 for the third year in a row.

It’s not easy when students are largely tech savvy, sometimes know more than their own IT department, and are generally unconcerned about the security and wellbeing of the network environment. Spotting an attacker is difficult.

With the use of compromised internal credentials, any attacker is simply accessing whatever data the user was already given access to. How are you supposed to spot inappropriate access when it’s already defined as appropriate?

First, let’s breakdown who we’re dealing with. Individuals involved in a threat action typically fall into one of three categories:

  • Malicious usersInsiders that have shifted their loyalty from the education institution to themselves, and are engaged in some kind of inappropriate activity (such as hacking, data theft, etc.) that benefits themselves over the organisation

  • Negligent usersUnwitting participants in phishing and social engineering scams. They take the bait and help to infect endpoints with malware that may be the attack (as in the case of ransomware), or simply provide a foothold for further actions by criminal online organisations

  • External attackerToday, this is more likely a member of an organisation than a loner. These individuals leverage hacking, social, malware, and many other toolsets to create a way into your network. Once inside, they work to take on one or more sets of elevated credentials to provide them with greater access and an ability to move about the network in an attempt to identify valuable data

Of the three, it’s the malicious user and external attacker that can be classified as the main threat actors.

When you boil it down, the only way to really tell if someone is a malicious insider or an intent external threat actor is by allowing them to perform actions (such as launching applications, authenticating to systems, accessing data, etc.) and then determining whether the actions are inappropriate.

But, given the majority of your student population doesn’t act the same way in the next class – let alone the next week or month – it makes more sense to spot the threat actor by looking at leading indicators of threat activity, rather than waiting for the threat activity itself.

Logon management – a leading indicator of compromise

One of the most accurate leading indicators is something no malicious insider or external threat actor can get around: the logon.

Unlike solutions that detect malicious actions once damage is done, Logon Management takes a far more proactive approach.

Whether it’s a student trying their hand at hacking or leveraging a stolen teacher’s password, a teacher up to no good, or an external attacker leveraging stolen credentials, they all need to logon in order to be successful.

To stop an attacker, you therefore need to take away their most precious attack asset: the ability to logon with compromised credentials.

François Amigorena

Securing Education at the Logon

Four primary functions work in concert to maintain a secure environment:

Policy Establishes who can logon when, from where, for how long, how often, and how frequently. It can also limit specific combinations of logon types and users

MonitoringAwareness of every single logon, as it occurs, serves as the basis for the enforcing policy, alerting, reporting, and more

AlertingNotifies IT and pertinent users of inappropriate logon activity and failed attempts

ResponseAllows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons

Should a logon fall outside a set of established restrictions, logon management solutions can automatically block access or, if already connected, immediately log a user off forcefully and lock the account, putting a stop to the attack before any malicious actions are taken.

Using policy-driven controls, Logon Management is configured based on the normal use of the environment, only restricting or providing alerts when a logon is out of policy. For example, if a student gets a hold of a teacher’s credentials and tries to logon on a Saturday at three in the morning, you want a notification about it. Likewise, if the student is trying to logon during regular school hours but keeps getting cold feet, resulting in multiple logons within a short duration of time, IT also wants to know.

There is no doubt that IT organisations in the education sector need a more proactive security strategy. They need to be able to identify when any kind of threat actor tries to hit, without obstructing the abilities of faculty, staff, and students. The logon is a leading attack indicator that no malicious insider or external threat can get around.

IS Decisions logon management solution, UserLock, provides a comprehensive layer of security over Windows-based networks. Using a mixture of enforceable logon policies, alerting, and response actions, it empowers organizations to leverage the active directory logon as a critical security checkpoint – before any attacker takes action.

François Amigorena is the founder and CEO of IS Decisions.