Why Proactive Cybersecurity Begins with Monitoring for Compromised Credentials
Most IT security teams today are under a huge amount of pressure. With dwindling human resources, they must tackle a growing volume and range of sophisticated threats, as well as support ambitious digital transformation projects which could make or break the fortunes of their organization. Faced with this uphill task, many can do little more than react to threats as they appear, fire-fighting desperately in a never-ending cycle.
A new focus
The reactive security stance many organizations are saddled with is inevitable given the pressures facing modern IT security leaders. Adding to the burden are complex, heterogeneous systems; IT skills shortages set to reach a staggering 350,000 roles in Europe by 2022; and digital transformation projects that have expanded the attack surface with IoT and mobile endpoints, cloud services and more.
The cybersecurity industry has over the years perpetuated the notion that you can block threats at the perimeter — that with the right tools in place attacks can be stopped. This has given many organizations a false sense of security. As F-Secure red team tests revealed in 2017, 52% of employees still clicked on a link in a fake email. We have to get real: some attacks will always slip through. The truth is that it only takes one misplaced click, one stolen credential, to let the bad guys in.
The key, therefore, is not to rely 100% on reactive cybersecurity. If we admit that breaches can and do happen, the focus should be on stopping attacks before the criminals have had a chance to monetize those all-important corporate or customer credentials.
Anatomy of a breach
Understanding the credential theft lifecycle is the first step towards effectively mitigating risk. There are typically four stages to note:
- Gathering of credentials via malware, phishing, DNS hijacking, brute force attacks, social engineering, leaked databases.
- Filtering and extracting credentials via email, IRC, FTP and other channels, sometimes stored in databases configured in C&C panels.
- Validation of stolen credentials via automated online account checkers and bots, and sometimes standalone executables for checking specific target accounts.
- Monetization of credentials by selling them on the cybercrime underground or using them directly for: mass identity fraud; hijacking corporate social network accounts and defacing websites; committing BEC attacks; or obtaining system access to effect much larger breaches of customer data and/or IP.
With the right threat intelligence, IT security teams can crucially step in to mitigate risk while the attackers are still validating the stolen credentials, or even before they’ve finished fully extracting them.
Yet unfortunately, time and again big-name brands that should have the insight and expertise to tackle credential theft have failed their customers. Yahoo famously took three years to inform users of a 2013 breach affecting one billion customers, before deciding a year later that in fact the number affected was three billion. More recently, UK retail giant Dixons Carphone was criticized after reporting a breach of 1.2m personal records that took place nearly a year previously, only to revise the figure up to 10 million customers a month later.
These cases are just the tip of the iceberg. It’s no surprise that overall the median length of time cyber-criminals are able to stay inside the networks of EMEA organizations before they’re discovered is 175 days — much longer than the global figure of 101 days. It’s safe to say that five months is more than enough time for cyber-criminals to exfiltrate, validate and monetize stolen credentials.
Eliminating blind spots
The truth is that in an ideal world we wouldn’t use credentials at all. Password-based systems are a relic of the past that should be consigned to the dustbin in favor of modern, context-based multi-factor authentication. But as long as organizations persist in using them to validate employees and customers, they need to find ways to manage the risk of credential theft.
This is why it’s crucial to find a way of effectively detecting compromised credentials. The right kind of threat intelligence feeds will proactively search the open, deep and dark web in real-time for stolen passwords using a combination of sinkholes, honeypots, crawlers and sensors. With speed of the essence, they will feed that information back so you can take steps to change passwords internally or notify customers to do the same, before the compromised credentials can be monetized against you.
Security teams are certainly stretched to the limit today, so much so that you might feel the resources aren’t there to manage an extra intelligence feed. That’s why it’s important to look for providers that can offer highly user-friendly services which can be interpreted without the need for specialized analysts. Also make sure they integrate neatly into current SIEM and other security infrastructure to enhance existing approaches and maximize ROI.
Some tools may even offer intelligence about how credentials were stolen in the first place, allowing IT teams to proactively prevent future attacks. It’s all about eliminating blind spots in the threat landscape to stay informed and in control. With a bit of forward-planning, IT security teams can run leaner and more effectively than before, in spite of the escalation in threats.
- To find out more on this topic, read our in-depth Credential Theft article on credential compromise and identity theft.
- The Credential Theft Ecosystem report embodies this approach – it is designed to help organizations understand the lifecycle of a compromised credential and keep their organizations’ data safe.