Compromised employee credentials are a major threat to any organization’s cyber security. According to Verizon’s 2022 Data Breach Investigation Report, compromised credentials were the single largest source of breaches, accounting for nearly half of them. By taking the right proactive measures and utilizing the right technology, however, companies can prevent cybercriminals from being able to use this attack vector to gain initial access.
How cybercriminals obtain credentials
Because credentials are the keys to accessing sensitive data, applications, and systems, they are highly sought after by cybercriminals, who use various means to obtain them. One common method of acquiring credentials is through phishing attacks in which hackers send employees fake emails that impersonate a trusted source and include a link to a spoofed domain where they are prompted to enter their login credentials. Once these are entered, they are ‘harvested’ by the attacker who can then use them to gain unauthorized access to a company’s systems. This type of phishing attack is becoming ever more frequent and has been the source of a number of high-profile breaches in recent months.
Credential compromise can also happen when an attacker obtains a list of breached username and password pairs (“credentials”) from the dark or public web and then uses automated scripts or ‘bots’ to test them on dozens or even hundreds of website login forms with the goal of gaining access to user accounts. This is known as credential ‘stuffing.’ Even the most unsophisticated cybercriminals can easily download lists of previously breached emails and passwords that are readily available online. Using credential stuffing tools, these can then be used to compromise accounts and, since many people reuse passwords across different accounts, it is inevitable that some of these credentials will work on other accounts, either personal or corporate.
Once an employee’s personal account is compromised, a hacker can use this to gain access to the employee’s corporate accounts, either through password reuse or through social engineering tactics such as an MFA fatigue attack. A report by the National Institute of Standards and Technology (NIST) found that password reuse is one of the leading causes of data breaches. This is a major security risk for companies, as it can allow hackers to gain access to sensitive corporate information and systems, and traditional cybersecurity does not address exposed personal data, where the vast majority of an individual’s threat exposure lies.
Protecting against credential compromise
Given the increasing threat of employee compromised credentials, it is crucial for organizations to take proactive remedial steps to mitigate this risk. By taking the following immediate actions, organizations can prevent data breaches that result from credential compromise.
- Implement multi-factor authentication. This requires employees to provide an additional layer of authentication beyond just their username and password, such as a code sent to their phone or a biometric factor like a fingerprint. Use physical FIDO2 compliant tokens as another factor of authentication where possible. This makes it much more difficult for hackers to gain access to employee accounts, even if they manage to obtain the login credentials.
- Use a password manager. A password manager can help employees create and store strong, unique passwords for all of their accounts. This can reduce the risk of password reuse and make it easier for employees to use strong passwords.
- Run your employees’ work and personal emails through any breach repositories you have access to. You can check for emails and passwords that have been involved in data breaches via haveIbeenpwned.com and there are other services available such as:
-
- https://monitor.firefox.com
- https://support.google.com/accounts/answer/9457609?hl=en#zippy=%2Cview-data-breaches-wecheck
- https://support.1password.com/watchtower/
- https://nordvpn.com/features/dark-web-monitor/
- https://support.apple.com/en-gb/guide/iphone/iphd5d8daf4f/ios
- https://uk.norton.com/feature/dark-web-monitoring
-
If there are any cleartext credentials that have been exposed in a breach, add these to your banned passwords list and make sure they are also no longer being used on employees’ personal accounts.
- Identify and block newly registered domains similar to your organization’s. This way, if attacker domains are leveraged in an attack (e.g., user clicking), the request to domain is blocked.
- Monitor for expiring domains which could be leveraged for credential harvesting.
- Regularly review any external facing components to understand exposure. Allow those that are trusted, remove those that are not, and ensure MFA is securely configured for all accounts.
- Ensure DNS DMARC settings are enforced to mitigate against impersonation attacks either on yourself or against a trusted 3rd party.
- Regularly audit employee access to one of least privilege (including offboarding).
- Regularly audit 3rd party access to one of least privilege.
- Use a secure messaging platform. Employees should use a secure messaging platform to communicate with each other and with clients, rather than using unsecured email or messaging apps.
How Picnic works to automate credential stuffing and reuse protection
Addressing credential compromise can be a time-consuming and resource-intensive process, particularly for large organizations with complex systems and multiple access points. For those looking to automate the process of credential stuffing and reuse protection, Picnic includes an automated enterprise solution for preventing attacks that rely on either work or personal account credentials, as part of its human attack surface management platform.
Picnic provides full visibility of an organization’s exposed attack surface, including the risk associated with data tied to the human element/employee population such as breached credentials.
Picnic considers a wide array of inputs for cleartext credentials that includes company-owned service accounts, employees’ current work accounts, employees’ former work accounts, and those associated with employees’ personal accounts. Attackers are increasingly focusing on using cleartext credentials from employees’ personal accounts, making this data source highly relevant for organizations that want to block the reuse of the credentials or force password resets when appropriate.
With Picnic, security teams can automate detection of compromised personal and corporate credentials in the open, deep, and dark web, automatically prevent their utilization within the organization, and secure enterprise portals at risk of credential stuffing attacks.
Picnic continuously monitors for exposed breach data and integrates with the customer’s existing identity providers (IdP) to automatically ban compromised passwords and trigger password changes and MFA for the users at risk of credential compromise and credential stuffing attacks.
Since attackers often create spoofed websites and accounts for use in credential harvesting attacks, Picnic also automates detection of suspicious domains and accounts and enables preventative measures before these resources can be exploited.
There is no doubt that credential compromise is on the rise as a preferred and effective means for cybercriminals to gain initial access and breach organizations. Fortunately, however, it can be prevented by taking the right proactive measures and utilizing the right technology.
Become a Subscriber to receive timely articles on human-centric security issues: