Detection of compromised credentials — the low-hanging fruit in cybersecurity

High-profile data breaches in recent years have created a new and rapidly emerging high-risk reality that businesses must be made aware of, and which can no longer be ignored. This high-risk reality is the creation and accessibility of huge data lakes containing billions of leaked credentials for sale on the dark web* that provide an exact match to access into many organizations' sensitive data and corporate intellectual property.

Since the beginning of 2017, the industry has experienced a terrific spike in data breaches leveraging compromised credentials. Verizon’s 2017 Data Breach Report indicated 18% spike of the data breaches leveraging weak and/or stolen passwords compared to the already high 63% the previous year.

To ignore this risk is to create peril for organizations much as we’ve seen with the Equifax breach where a high-risk vulnerability was known, but Equifax chose to do nothing about it. One year after the breach, the stock price still can’t reach the pre-breached price. The stakes involving compromised and leaked credentials are exactly that high.

MFA? VPN? Strong Password Policies? That Unfortunately Is Still Not Enough!

Mandatory multi-factor authentication (MFA), virtual private networks (VPN) and a strong and resilient password policy approach that mirrors recently revised NIST recommendations (see section 5.1.1.2) are now the minimum standards that organizations should follow to better secure the enterprise. But even these approaches can no longer provide 100% protection as it relates to authentication and authorization within the enterprise.

Why? Cybercriminals and nation-state actors have access to massive databases of leaked credentials which are already being used as weapons against the enterprise, critical infrastructure and even democracy itself. There are very few cases when MFA solutions are deployed consistently across sensitive assets, or on by default. The Deloitte breach from September 2017 shows that even companies that are preaching cybersecurity best practices can make a mistake and not using MFA on administrator accounts.

Leaked credentials have become the holy grail of dark web possession — one set of credentials to rule all other forms of perceived authentication and access protection. The broad application of leaked credentials against an individual or organization has to do with easy access to such credentials and a high degree of success when they used.

With this new reality of stolen and compromised credentials, organizations must take active measures to detect and verify them or be prepared to face the consequences.

Detect & Verify Compromised Credentials

As organizations learn more about and increase the adoption of credential verification services, what are the levels of risk that need to be considered to begin protecting against this threat?

Let’s consider two risk levels.

Level 1 Scenario: When a compromised credential is linked to the identity context

In this scenario, the detection of leaked credentials is based on a match of the username and the password together. This is the preferred scenario as it eliminates false positives and can deliver a high level of automation. The outcome of the detection is a binary response showing which accounts from the organization’s credential store are available for grabs on the dark web and can be used at any time to launch an attack.

The best in class solutions store the encrypted userID and password pairs for comparison. Without the identity context, e.g. using only a password list, you would display 2–6x more unnecessary warnings to users compared to using more advanced services, such as the one VeriClouds is offering.

Checking the username and password during login, using a credential verification service, provides the highest level of confidence that the credentials are leaked, when there is a match, avoiding false positives. In this case, credentials are compared as part of the authentication workflow. If a leaked username and password pair is detected, then your policy engine may automate the remediation step, which can include immediately forcing a user to change his or her password or forcing a step-up authentication, thus preventing unauthorized access attempts and potentially prevent the data breach from happening in the first place.

Level 2 Scenario: When a compromised password or account is known

In this scenario, the detection of leaked credentials is based on a comparison of the username only and additional contextual information about the breach is used to limit the false positives.

This scenario is used when the organization cannot use passwords for detecting leaked credentials. Instead, leaked usernames and metadata from breach data and other contextual attributes can be used as indicators of the risk of compromised credentials.

Even though the comparison is only based on the username, users do reuse passwords across services.

• Based on a SecureAuth study, 81% of Americans use the same password for at least two of their accounts.
• In benchmark tests we performed in our lab, we found that between 15–40% of a typical company’s credentials already exist in VeriClouds’ database.

Detecting an organization’s compromised credentials is an easy step that can significantly reduce the attack surface of your organization. Organizations can no longer afford to ignore this threat as data breaches continue to increase in both frequency, scale and cost. The risks are quite high and cannot be mitigated through any other means other than applying rapid due diligence to the issue. As attackers acting against organizations continue to iterate, organizations must do the same in order to counter cyber-attacks.

Detect the compromised credentials in your organization by signing up for a free trial of our premium service, CredVerify™ and gain visibility into dark web threats that can undermine your existing security controls.

About Stan

Stan has over 17 years of product management experience. He worked on Microsoft Windows and Microsoft Online Services security features. In 2014 he co-founded, VeriClouds, the leader in credential verification. The company provides detection of leaked credentials which helps organizations single out the compromised credentials of their employees or customers before hackers do. VeriClouds uses the same data attackers do, proactively monitoring the dark web and systematically reducing the user-centric risk.

— — —

*dark web — used as a term comprising dark web, deep web and surface web