on August 28, 2018

The right tools for the job: how to protect against credential theft

Humans are often described as the weakest link in the cybersecurity chain. This is certainly true to an extent: witness the fact that phishing enabled 93% of data breaches last year. However, it might be more accurate to describe credentials themselves as the biggest threat to organizations. Whether we’re talking about corporate account passwords or customer log-ins, they can be phished, hacked, cracked and guessed via an increasingly wide range of tools and techniques — exposing organizations to serious financial and reputational damage.

The answer is a layered approach built around effective threat intelligence, but not all solutions are created equal. This makes it crucial for IT security and fraud managers to know what to look out for in an increasingly crowded marketplace.

Why are credentials important?

Credentials are the virtual keys that protect corporate networks and systems and customer accounts from unauthorized intrusion. As such they represent a huge target for cyber-criminals, nation state operatives and even hacktivists. Stolen credentials have been to blame for some of the biggest data breaches of recent years, including US retailer Target, which led to the theft of PII and card data on up to 110 million customers; the 2014 breach of 500m Yahoo customers; and Uber, which spilled data on 57m global users.

However, credential compromise can lead to a wide range of possible business impacts. These include:

Underground Sale: If the hackers gain access to large troves of customer data (including PII, credentials and card info) or IP this information can be sold on the underground sites where there is a huge and thriving economy in stolen data. One company has estimated it could be worth as much as $160bn annually.

Identity theft/fraud: Stolen credentials can be used to hijack customer accounts to commit identity fraud: for example, making money transfers, filing false insurance claims, or purchasing items without the account holder’s knowledge. This is made easier by the fact that many users share passwords across multiple accounts. Two-thirds (65%) of global firms claimed recently they experienced the same or more fraud losses in the past 12 months. Customer attrition, brand damage and possible legal costs could result.

Blackmail: Account takeovers could also reveal sensitive and confidential information that the individual would rather was kept secret. That’s especially true of CEOs and senior executives in companies. This could lead to online extortion attempts. A notorious example of this was the 2015 data breach at infamous infidelity site Ashley Madison.

Crimeware and BEC: Cyber-criminals can use stolen credentials to hijack e-mail and social network accounts to distribute malware and launch highly convincing phishing campaigns or Business Email Compromise (BEC) attacks. BEC is now their biggest money-maker, netting the bad guys $676m last year. They could also hijack CMS and other accounts to add malicious content to websites.

Reputational damage: Sometimes the objective isn’t primarily to make money but use access to an account to damage the reputation of an individual or company. Yet even if reputational damage is not the primary intention, it is usually a secondary impact of breaches, identity fraud, hacktivism etc.

Hacktivism: Hacktivists use stolen credentials to infiltrate corporate systems to deface websites and social media accounts or even to publicly release breached data. There are serious reputational, compliance and often financial repercussions.

Espionage: Hijacked email and other accounts can be monitored over a long period of time to gather and exfiltrate data, often in nation state-sponsored raids. One campaign attributed to China is said to have run for over a decade.

The right tools

IT security teams today are stretched to the limit deflecting commodity attacks and targeted raids. With global skills shortages set to reach 1.8m by 2022, there’s no let-up in sight as credentials continue to expose organizations to the threats listed above. Threat intelligence can help, but with teams already overwhelmed with information, false positives and threat alert fatigue can be a major challenge. This makes choosing the right tools more important than ever.

The best platforms will allow you to understand your adversaries before they attack, or spot compromised credentials before attackers have a chance to sell them online. Look for solutions which:

Proactively search the open, deep and dark web in real-time for stolen passwords using a combination of sinkholes, honeypots, crawlers and sensors.

Offer modularity and/or customizability. There’s no such thing as one-size-fits-all when it comes to credential theft protection. Consider functionality which allows you to: hunt malware including Man in the Browser (MitB) attacks; monitor hacktivism activity on social networks; find leaked, stolen and sold credentials for sale on the cybercrime underground; monitor malicious mobile apps that could steal customer credentials; find registered fraudulent domains which could be used in phishing; and analyze current phishing campaigns to feed back into user awareness classes.

Combine intelligence from a broad range of threat sources including social networks, forums and web posts on the surface web; deep web forums and closed sites; dark web sites like TOR, I2P etc; and C&C systems (via sinkholing).

Integrate into SIEM, firewalls etc. to improve ROI, and help prioritize advanced threats.

Offer pay-as-you-need: to avoid you shelling out for unnecessary functionality.

Provide the freshest (near real-time) information. This is vital to ensuring you stay one step ahead of the fraudsters to take action before they do.

Offer enhanced usability: With IT resources stretched, it pays to invest in intelligence which is accessible to all levels — not just experienced fraud analysts.

As long as credentials remain the preferred way for companies to authenticate their employees and customers, they’ll continue to be the weakest link in the cybersecurity chain. That’s why threat intelligence is essential to reduce risk and accelerate decision making, creating a formidable first line of defense to put you back on the front foot.

Related Articles
  • To find out more on this topic, read our in-depth Credential Theft article on credential compromise and identity theft.
  • The Credential Theft Ecosystem report embodies this approach – it is designed to help organizations understand the lifecycle of a compromised credential and keep their organizations’ data safe.