Chances are you've heard about the breaches of LinkedIn, eHarmony, and last.fm, among others. In these breaches, password hashes were leaked and almost immediately cracked, demonstrating how unfortunately basic many passwords are despite our attempts to make people smarter about passwords with password policies and constant user education. The reality is that passwords are an inconvenience to most people -- a necessary evil -- and a cost of doing business. People frequently reuse passwords or use a pattern with simple words or character addition/replacement, making it possible to follow them around the internet and gain access to multiple accounts. You might not care if the passwords that are exposed are for online dating, music, or other social sites, but what if they were yours? Or worse, what if it was a bank or credit card company that was breached?
Following these breaches, a lot of stories came out about watching accounts for stolen passwords. But many of these articles lacked concrete advice such as what do you actually LOOK for when you get to all that log data?
There are 10 events in particular to monitor for stolen passwords and general abuse on a network.
Critical System Access
The first step is to make a list of all systems that have external access from the internet, then critical systems with internal (but theoretically limited) access from user networks (servers, network devices, management systems).
- Straight up failed logon attempts to any critical system or server. Consider excluding single failed logons from trusted IT administrators, who are infallible and probably have long passwords they might not type without enough coffee.
- Successful and failed logon attempts directly to local administrative accounts (administrator, root, dedicated domain admin), especially on critical systems or servers, but possibly extended into workstations.
- Multiple failed logins to any account. Some systems will have a lockout policy that kicks in, but if it trips and the failures continue, you could be looking at brute force attempts.
- All interactive remote logon activity to internet facing systems. If someone logs on via RDP (or SSH, whatever it might be) to that one system you've got so that guy that contracts for that one service can help you out in a pinch, you should know immediately that it's happening.
- Attempts by non-privileged, non-IT accounts (or IP addresses) to log on interactively to any critical system or server, failed or successful. This just shouldn't be happening, and is either misuse of their account, or possibly they've been compromised and their account is being used to gain access to other resources on the network.
Come back on August 17 to see the followup to blog listing events 6-10 you should monitor on the trail of stolen passwords...