Why Deep Defense Should Start with Detecting Compromised Credentials

Different credentials are used by billions of users daily to authenticate themselves in their physical and digital lives. From physical keys to tokens and cards to login and password combinations – all are vulnerable to attack. According to Verizon, 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

Obtaining valid credentials using multiple mechanisms and tools continues to be extremely lucrative for a cyber-criminal. All it takes is a single good credential to gain access to an organization and cause havoc and as IT security teams are under increasing pressure to make the most of their own limited resources, a growing volume and range of sophisticated threats push them into a corner where they can often do little more than react to attacks.

However, with a greater understanding of the lifecycle of a stolen credential and the motivation of the attackers, under-pressure security teams can put in place effective countermeasures to prevent attacks and mitigate the damage when one happens. There are typically four stages to consider, outlined in the Credential Theft Ecosystem report:

  • Gathering of credentials via malware, phishing, DNS hijacking, brute force attacks, social engineering, leaked databases
  • Filtering and extracting credentials via email, IRC, FTP and other channels, sometimes stored in databases configured in C&C panels (also used nowadays to mine credential big data more efficiently)
  • Validation of stolen credentials via automated online account checkers and bots, and sometimes standalone executables for checking specific target accounts
  • Monetization of credentials by selling them in underground markets or using them directly for: identity fraud; hijacking corporate accounts and defacing websites; BEC attacks; obtaining system access to effect larger breaches of customer data and/or IP.

We often find that cyber-criminals value one fresh corporate credential much more than thousands of user records; for an organization, one single valid credential could be enough to take down the entire company.

In a worst-case scenario, the credentials for an admin account could grant access to an advanced threat actor – once they are in the environment they can move laterally, placing backdoors, RATs and other software to become persistent, and exfiltrate the data of employees or customers to resell or utilize for their own financial gain. 

Though phishing and spear-phishing remain somewhat seminal techniques, particularly when combined with social engineering, malware use is often more efficient in terms of volume and timeliness than phishing. Though more complex skills are required for this tactic to be efficient, many malware families are openly sold -as-a-service – AgentTesla, for example is marketed between $6-15 per month, with customer support and updates available, bringing the barrier to entry down.

Advanced attackers may use malware to infect machines and move laterally in an organization’s network. A Pony botnet, for example, can collect on average 8,000 credentials, but, depending on the binary distribution, it could steal up to millions of passwords. The rewards for its operator could be great if any of these are validated and used in time.

The fresher the credential, the more likely it can be used effectively. If the credential has been compromised without alerting the affected user – for example, using malware which removes itself after harvesting the necessary data – then the chances are even higher. Therefore, the sooner compromised credentials are detected, the sooner security teams can remediate.

Credentials are rarely used by cyber-criminals in ‘real-time,’ since they require time to analyze the reams of data captured, filter out ‘prime’ credentials and sell the data if they are not going to exploit it. Deep defense tools which monitor the open, deep and dark web for any hint of compromised data – can massively reduce the impact of an attack.

Broader attack surfaces through digital transformation projects, complex security infrastructures, often requiring a rationalization of budget due to supplier contracts outliving their usefulness, and a rapidly rising skills shortage (a gap set to expand to 350,000 roles in Europe by 2022) mean that a reactive footing has become the norm for too many organizations.

However, once we have accepted that it is impossible to prevent all breaches, at least using real-time intelligence can prevent the direct use or trade of the corporate or customer credentials and mitigate an attack’s impact.

Additionally, GDPR has had some rather unexpected consequences. As well as having to deal with potential penalties to the regulator in the event of a breach, if an entire customer database is exfiltrated, the threat actor can threaten to publish this information in order to extort money from the company. Often for an organization, paying the ransom to the threat actor could the lesser of two evils.

Ultimately, successful deep defense should begin with enhancing your understanding of the lifecycle of a stolen credential. Once you can establish how a credential can be compromised, you can correlate the surrounding threat data, from malware to infection points to threat actors involved.

Gathering and sharing this intelligence can help security teams of all sizes implement its value and improve their security posture. Fighting cybercrime collaboratively means fighting more effectively.

What’s Hot on Infosecurity Magazine?