5 Tips for Triaging Risk from Exposed Credentials
Not all exposed usernames and passwords present a threat. Here's how to quickly identify the ones that do.
September 2, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2ed0b866587c77c7/64f0d3043023e8c8c8f5c8bd/1.jpg?width=700&auto=webp&quality=80&disable=upscale)
With more than 15 billion exposed credentials currently available online, security teams need a formal process for quickly identifying the ones that might pose a threat to their organizations.
A study that Digital Shadows conducted earlier this year found that two-thirds of the credentials available on Dark and Clear Web markets are duplicates, and 80% of them are in cleartext format. Many are employee credentials that pose a significant risk to organizations in the hands of cybercriminals.
It's the security team's role to assess all of their exposed employee credentials to ascertain whether those credentials could enable attackers to take over accounts and gain access to internal systems, says Michael Marriott, manager of product marketing at Digital Shadows.
Security admins need to determine whether an exposed credential poses a risk to the business or whether it is no longer a threat because it is associated with a user who has left the organization, has expired, or another reason. Given that billions of credentials are exposed every year, this can be time-consuming, he says.
"This is a real challenge, and a practical solution requires a methodical approach that is less whack-a-mole," Marriott says. "Security teams spend a lot of time reassessing the same credential pair and wasting their time. If the security team has reset the password of a user who has had their credential breached, there is no need to do so every time that password resurfaces."
The following are five tips for triaging the risk associated with breached credentials.
Underground markets are awash in employee credentials -- usernames and associated passwords and usernames alone. The study that Digital Shadows conducted, for instance, found that food and beverage organizations on average had over 87,350 credentials exposed; education and technology organizations had an average of around 48,000 employee credentials available online.
But not all of them pose a risk. If the user has left the organization, it's unlikely that his credentials would be active. Similarly, if a password does not match the current password format, it's unlikely that an attacker could use it to gain access to internal systems. Asking these questions is fundamental to ensuring the security team doesn't end up resetting passwords that no longer present a threat, Marriott says.
"Security teams may have their own scripts to look to validate credentials and assess whether they meet the password or email format," he says. "Alternatively, the rise of security orchestration, automation, and response [SOAR] platforms provides additional ways for teams to automate these actions."
The same stolen or leaked employee credentials can keep surfacing online over and over again. Make sure to have a process for ensuring new alerts are not raised each time that happens. Create some sort of a database or list of passwords that are no longer valid or don't present a risk to the organization anymore, and use that when triaging risk.
The same stolen or leaked employees credentials can keep surfacing online over and over again. Make sure to have a process for ensuring new alerts are not raised each time that happens. Create some sort of a database or list of passwords that are no longer valid or don't present a risk to the organization anymore and use that when triaging risk. Once a credential has been marked as resolved, no more alerts should be raised against it, Marriott notes.
While there's a lot of stolen and leaked employee credential data floating around online, only a relatively small portion of it is unique. Large credential datasets can contain plenty of duplicates. Getting rid of them can give organizations a better handle on their true exposure to breached or leaked credentials.
"Triaging the risk associated with breached credentials shouldn't be as daunting a task as it seems," says Brandon Hoffman, CISO at Netenrich. "There are [plenty of] tools that can perform deduplication and correlation among the sets of [exposed credential] data," he says.
Organizations should also require multifactor authentication, perform aggressive account resets, and track and block account checking or brute-forcing tactics and techniques, he says.
Not all of the credentials dumped online work -- or are even genuine for that matter. Criminals looking to make a fast buck from selling credentials have been known in the past to make up username and password combinations. Just because a credential appears to belong to a particular domain does not mean it actually is a real one. Suppose the password does not match the password format, such as having more than 18 characters, uppercase and lowercase letters, and special characters. It's unlikely it would provide access to internal systems, Digital Shadows' Marriott says.
Real-time alerting on stolen credentials and references to a particular company or brand in criminal circles are essential to mitigating account takeover and other risks. Organizations need a mechanism for monitoring underground forums, Dark Web sites, and paste sites for stolen or leaked passwords. Free tools and services are available that allow organizations to monitor for breached credentials. Even resources such as HaveIBeenPwned can alert to credential breaches impacting an organization's email domain.
Organizations might also want to consider using an identity monitoring service to triage password theft or leaks, says Stephen Banda, senior manager, security solutions at Lookout. "By verifying user logins against massive databases of recovered breach assets, identity monitoring solutions can notify your organization of credential theft, before [the credentials] are used," Banda says.
Real-time alerting on stolen credentials and references to a particular company or brand in criminal circles are essential to mitigating account takeover and other risks. Organizations need a mechanism for monitoring underground forums, Dark Web sites, and paste sites for stolen or leaked passwords. Free tools and services are available that allow organizations to monitor for breached credentials. Even resources such as HaveIBeenPwned can alert to credential breaches impacting an organization's email domain.
Organizations might also want to consider using an identity monitoring service to triage password theft or leaks, says Stephen Banda, senior manager, security solutions at Lookout. "By verifying user logins against massive databases of recovered breach assets, identity monitoring solutions can notify your organization of credential theft, before [the credentials] are used," Banda says.
With more than 15 billion exposed credentials currently available online, security teams need a formal process for quickly identifying the ones that might pose a threat to their organizations.
A study that Digital Shadows conducted earlier this year found that two-thirds of the credentials available on Dark and Clear Web markets are duplicates, and 80% of them are in cleartext format. Many are employee credentials that pose a significant risk to organizations in the hands of cybercriminals.
It's the security team's role to assess all of their exposed employee credentials to ascertain whether those credentials could enable attackers to take over accounts and gain access to internal systems, says Michael Marriott, manager of product marketing at Digital Shadows.
Security admins need to determine whether an exposed credential poses a risk to the business or whether it is no longer a threat because it is associated with a user who has left the organization, has expired, or another reason. Given that billions of credentials are exposed every year, this can be time-consuming, he says.
"This is a real challenge, and a practical solution requires a methodical approach that is less whack-a-mole," Marriott says. "Security teams spend a lot of time reassessing the same credential pair and wasting their time. If the security team has reset the password of a user who has had their credential breached, there is no need to do so every time that password resurfaces."
The following are five tips for triaging the risk associated with breached credentials.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024