When cyber criminals log in, but don’t break in, is your data still data secure?

Richard Wainwright, Field CTO for UK&I at Veritas Technologies

The notion of having our identity stolen and used maliciously is a concern that everyone should have in our society today. The vulnerability, the unknowing, and the anxiety around who and why someone would do this, and what they may use it for is very real. This is bad enough in our personal lives, but when that identity includes administrative credentials to the core cyber resilience solution of a national or multinational organisation, the impact can be even more devastating.

In both the corporate and public sector, malicious credential theft is on the rise, fueling a huge increase in incidents via compromising privilege escalations.  These are no longer being primarily targeted at production or edge systems, but instead focusing on an organisations’ last line of defence: the data protection infrastructure.

Due to their extensive access to sensitive commercial, personal and competitive organisational dataset, system administrators are being targeted even more specifically for credential theft than ever before. Cybercriminals are simultaneously designing more complex attacks to gain their credentials and launching them even more effectively with the help of AI driven processes. Whether it’s GenAI-generated phishing schemes, using video deepfakes, or taking advantage of other new-fangled ways of impersonation, stealing or just plain convincing employees to unwittingly hand over credentials has become a favored approach whether targeting the entire spectrum of a workforce from C-level executives, to end users, or system admins.

The necessity for dedicated security controls

According to a 2024 IBM report, attacks leveraging valid credentials surged by a staggering 71% year-over-year last year. This alarming trend underscores the urgent need for heightened vigilance and specialised security measures. The rise of advanced session hijacking techniques means relying solely on enterprise-wide Single Sign-On (SSO) solutions is no longer enough. Organisations must fortify their data protection infrastructure with dedicated security controls such as Multi-Factor Authentication (MFA), Multi-Person Authorisation (MPA), Privileged Access Management (PAM), and other robust defenses. Safeguarding against credential theft is paramount in defending your organisation’s most precious asset: its data.

A few years ago, concepts like immutability, anomaly detection, and malware scanning were key focal points in hardening data protection defenses. These are now considered to be fundamental. These capabilities have forced threat actors to shift more towards going after “soft targets” by taking advantage of phishing, social engineering, MFA fatigue, and other credential-based attacks to log in, not break in, to your infrastructure.

Defense plans must adapt to keep up with the rapidly accelerating threat landscape. We are seeing a critical point of change where internal IT security teams’ capacity to safeguard and protect corporate data is too often falling short of the exponential rise in its volume, associated value to threat actors, and the susceptibility of external penetration and access. The chances of a significant security breach, protracted outage, and issues related to data privacy compliance increase significantly the larger this gap gets.

Adaptive Self-Defense Solution

One of the best ways of tackling this increasing gulf is through self-defending data protection solutions. These automated defense solutions are the most effective at beating  ransomware attacks, based on stolen or maliciously attained admin user credentials. They work by actively and continuously monitoring system administrator activity and responding to anomalous behaviours by adjusting security protocols (such as a multi-factor authentication and multi-person authorisation challenges) and automatically flagging action that poses potential corporate risk.

Adaptive, self-learning defense solutions like these are a now a critical part of enterprise data protection and must be adopted to have any chance of maintaining corporate compliance while avoiding the devastating reputational damage to any organisation of a major data breach.

Entropy Anomaly Detection

Another critical aspect in this process is time series data anomaly detection. In basic forms this has been available in the market for quite some time. This technique establishes stable baselines by analysing patterns from backups over multiple weeks, while continuously learning granular data characteristics unique to the protected asset changes. This learning strategy is agnostic to any ransomware type and is referred to as zero-shot learning.

What’s new is the significant improvements to the scale and capability of how this is done: now individuals can detect anomalies online as backups occur, with near-zero impact on performance while at the same time eliminating the need for additional resources or incurring expensive cloud compute costs associated with post-hoc analysis.

This patent-pending innovation helps reduce the time to find and flag potential anomalies for further investigation – particularly important in limiting the potential blast radius of a breach.

With the rise in ransomware and cyber-attacks meaning all organisations must view being targeted not as an ‘if’ but as a ‘when’, investment in these tools must also be considered a necessity for any operational resilience.