Blog
Solving the Perennial Problem of Compromised Credentials
Back when I was in an operational role at a Fortune 50 I always dreaded the day that yet another sensational compromised credential breach was released. I would immediately get internal questions from the C-level, incident response, fraud teams, corporate security, and of course the SOC. While my team worked to collect and understand the dumps, focusing on what was unique to my organization, I was busy handling questions about our exposure from across the organization. We had to move quickly to write an assessment report, especially as the dumps started appearing with credentials in the billions.
By Chris Camacho
Back when I was in an operational role at a Fortune 50 I always dreaded the day that yet another sensational compromised credential breach was released. I would immediately get internal questions from the C-level, incident response, fraud teams, corporate security, and of course the SOC. While my team worked to collect and understand the dumps, focusing on what was unique to my organization, I was busy handling questions about our exposure from across the organization. We had to move quickly to write an assessment report, especially as the dumps started appearing with credentials in the billions.
The problems I had to solve for were as follows:
Who has the dump and where did it originate? Does it contain context? How old is it? Does it contain passwords? What is our exposure? What are our partners’ exposure? Are the compromised accounts actively being used against us? Is our staff using corporate email on websites that could pose reputational risk? And lastly, what’s taking so long to collect and process it???
What was also a distraction in parallel was that other vendors who we don’t do business with would be sending unsolicited “sample” credentials all over our organization via email or LinkedIn. This only created further confusion and delays as our team had to address each inquiry coming our way, most in the form of “do you know about this dump?”
Once our team had a chance to review what we could from an initial dump, which always took time due to the size and risk associated with collecting the dump from out in the wild, the immediate follow up question was always: How many of these credentials are from other historical breaches, such as LinkedIn or Adobe?
That analysis and comparison also took significant time and held risk due to the fact that we preferred not to do that research on our network, as well as concerns about the team seeing passwords. We were forced to rely on vendors who were trying to do similar work manually across all their customers.
It was precisely this scenario, and the above-mentioned frustrations, that we used here at Flashpoint to build our new Compromised Credentials Monitoring (CCM) product, released earlier this year. We also leveraged a fountain of input from our current customer base — a global network of intelligence practitioners from the largest organizations in the world down to small boutique enterprises that operate on a tight security budget. Large or small, we all have to deal with the risk associated with these compromised credentials impacting our organization in more ways than most people assume.
In addition to focusing on credentials from your organization’s domain, as well as whether a password was also leaked, organizations should focus on those credentials being used on apps or websites that could impact your brand and reputation. The same credentials are then quickly used for credential stuffing attacks against other enterprises, as actors search for account take over opportunities. All those credentials, compounded with billions of other compromised credentials now readily available for actors to leverage, could be used to identify a password pattern for someone within your organization that then opens the door to successful logins via one of the many ways into a corporate network. Of course, the credentials can also be used for BEC scams or phishing attempts.
With that in mind, companies can use the Flashpoint CCM product beyond threat intelligence teams, as the credentials should be reviewed by the incident response team, the SOC, corporate security to monitor for executive exposure, identity access management to monitor for password matches, and fraud teams for anyone who has online logins as part of your business. Network security teams can also leverage the dumps to determine if any credential stuffing attacks that impact availability match a recent dump.
And the lovely part of our solution is we don’t have to share the passwords through your inbox if you have that restriction at your organization. We can provide credentials via API so you can build a playbook on how to best address them.
As a community we will continue to collaborate and enhance our response time on the perennial problem of compromised credentials. Here’s to fewer questions and faster answers in 2020!