Compromise Session Detection
Compromised session detection identifies user sessions that an unauthorized party has taken over or used. It involves monitoring and analyzing session activity to detect indicators of malicious behavior that deviate from legitimate user actions.
Here's a breakdown of the key elements:
Session Monitoring: This is the foundation and involves continuously tracking user activity within a session. This can include:
Logins and logouts
Navigation patterns
Data access and modifications
Transactions performed
Keystrokes and mouse movements
Behavioral Analysis: This core component establishes a "normal" user behavior baseline. The system then looks for deviations from this baseline, which could signal a compromised session. Examples of behavioral anomalies include:
Unusual login locations or times
Access to resources the user doesn't usually access
Rapid or automated actions that are not typical of human users
Changes in typing speed or patterns
Contextual Analysis: This involves considering various contextual factors to improve detection accuracy. These factors can include:
Device information (e.g., type, operating system, browser)
Network information (e.g., IP address, geographic location)
Time of day
User roles and permissions
Threat Intelligence Integration: This involves incorporating information about known attack patterns and malicious actors to enhance detection capabilities. This can include:
Indicators of Compromise (IOCs): Data about known malicious activity.
Attack signatures: Patterns of activity associated with specific types of attacks.
Detection Techniques: Various techniques are used to detect compromised sessions, including:
Rule-based detection: Using predefined rules to identify suspicious activity.
Anomaly detection: Identifying deviations from established behavioral baselines.
Machine learning: Training algorithms to recognize patterns of malicious activity.
Alerting and Response: When a compromised session is detected, the system should:
Generate an alert to security personnel.
Potentially take automated actions, such as:
Terminating the session
Requiring the user to re-authenticate
Locking the user's account
By effectively detecting compromised sessions, organizations can minimize the damage caused by attackers and protect sensitive data and systems.
ThreatNG's strength lies in its external attack surface management capabilities. Although it works alongside, rather than replaces, internal real-time compromised session detection tools like UEBA, it dramatically improves an organization's detection of compromised sessions through its rich external context and threat intelligence.
Here's how ThreatNG contributes:
ThreatNG's external discovery identifies all external-facing assets where sessions originate (web applications, APIs, etc.). This is crucial for understanding the attack surface and potential entry points for attackers attempting to compromise sessions.
For example, ThreatNG's discovery of all subdomains can reveal forgotten applications with weak authentication, making them a target for attackers seeking to compromise sessions.
ThreatNG's external assessments provide valuable information that aids in detecting compromised sessions:
The Web Application Hijack Susceptibility rating highlights applications with weaknesses in their session management, indicating a higher risk of session compromise.
The Subdomain Takeover Susceptibility rating identifies subdomains that attackers could compromise to steal session credentials, which they could use to access legitimate sessions.
The Cyber Risk Exposure assessment reveals external vulnerabilities (e.g., exposed ports) that attackers could exploit to gain unauthorized access and potentially compromise sessions.
ThreatNG's reporting provides information that security teams can use to improve their compromised session detection capabilities:
Technical reports detail vulnerabilities and weaknesses that attackers could exploit to compromise sessions.
Security ratings measure the organization's overall security posture, including factors relevant to session security.
ThreatNG's continuous monitoring of the external attack surface provides ongoing intelligence that helps proactively detect potential session compromises. It also alerts organizations to new or changing external risks that attackers could exploit.
ThreatNG's investigation modules provide valuable context for analyzing potential session compromise:
Domain Intelligence helps security teams understand the organization's web infrastructure and identify potential attack vectors. For example, Email Intelligence can provide information on email security presence, which is relevant to detecting phishing attacks aimed at stealing session credentials.
The Sensitive Code Exposure module detects leaked credentials or API keys that attackers could use to bypass standard authentication and compromise sessions.
The Search Engine Exploitation module helps identify information leakage that attackers could use to plan session hijacking attacks.
ThreatNG's intelligence repositories provide crucial information for detecting compromised sessions:
The Dark Web Presence repository alerts organizations to compromised credentials that attackers could use to gain unauthorized session access.
The repository of Known Vulnerabilities helps security teams prioritize their monitoring and detection efforts by focusing on actively exploited vulnerabilities.
Working with Complementary Solutions:
ThreatNG's external insights enhance the effectiveness of internal compromised session detection systems:
ThreatNG's identification of vulnerable web applications can better inform the rules and configurations of Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDSs) to detect and block session hijacking attempts.
ThreatNG's data on compromised credentials can be integrated with SIEM or UEBA systems to detect suspicious login activity indicative of account takeover.
Examples of ThreatNG Helping:
ThreatNG identifies a web application with weak session management, prompting security teams to implement stricter monitoring and detection rules for that application.
ThreatNG discovers leaked API keys that could be used to bypass authentication, allowing security teams to correlate their use with suspicious session activity.
Examples of ThreatNG Working with Complementary Solutions:
ThreatNG's vulnerability data can be used to tune an IDS to more aggressively monitor sessions interacting with a vulnerable application.
ThreatNG's compromised credential data can be fed into a UEBA system to flag sessions where those credentials are used anomalously.
ThreatNG provides essential information and context that significantly improves an organization's ability to detect compromised sessions.
