Detecting Credential Abuse |
Abstract
Attackers love credentials. Creds are often the key to objectives - the long-fought initial foothold, that much-needed lateral movement, or the final privilege escalation that can mean the difference between a lucrative return-on-investment, or burned time, effort, and resources. And as defenders, it isn't always easy to tell who is behind the credential. After all, all we have are logs, right...? But logs can be extremely valuable, and we know a lot about credentials; from their creation, to their usage, and subsequent invalidation. And we know a lot about how they are issued, where they are (or should be) stored, and to which systems they are provided. So how do we pull the badness from the noise, and detect/prevent those we defend from being pwned? This talk will discuss core detection concepts targeting credential abuse, including useful detection patterns, the Impossible Travel problem, and credential binding violations. We will also contemplate the trade-offs in controls, the challenges in pulling the needle from the haystack, and the need to consider the user when hardening or responding to suspected credential abuse. Speaker Bio: Having worked in the security industry for 8+ years, Kathy is currently a tech lead in the detection space at a tech company. Her interest and experience is in detection engineering and software development. Outside of work, she also enjoys running, hiking, and reading. Following over a decade in the UK and Australian InfoSec industries, including an 8-and-a-half year stint in red teaming, Troy jumped the proverbial fence from red to blue, and is currently a Security Engineering Manager at Google. His interest and experience is in detection engineering, red teaming, threat modelling, hardware, and assessing ICS environments. Other interests include music, electronics, the outdoors, travel, rugby, CTF, and making piano-related noise. |