Credential exposure is a growing and glaring concern. As many as 60% of breaches involve compromised credentials and more than 24 billion user names and passwords are currently available for sale on the dark web.
Leaked credentials are cheap and sell for pennies on the dollar. Hackers steal, sell and buy credentials to launch account takeover attacks, network infiltration, ransomware attacks, espionage campaigns and to conduct other malicious activities.
Make sure that your organization’s credentials aren’t available to cyber criminals who seek corporate access. Leverage the following five steps to mitigate credential exposure risks.
Mitigating credential exposure risk
1. Gather leaked credential data. In order to start addressing the issue of leaked credentials, security teams need to gather data about organizational credentials that are already on the dark web and open web. Teams need to see which credentials hackers currently have access to. This exercise offers insight into an organization’s risks, and can also shed light on whose credentials need to be updated.
2. Analyze the data. After gathering leaked credential data, security teams should work to identify the credentials that hackers are likely to use in security compromises. Security teams should look for instances where an attack might take a username and password combination (either cleartext or hashed) and then try to apply them to systems or services.
- Check to see if the credentials give access to the organization’s externally exposed assets, including web services and databases
- Attempt to crack captured password hashes
- Validate matches between leaked credential data and an organization’s identity management tools, such as Active Directory
- Manipulate the raw data to explore similar means of compromise. In other words, users often rely on password patterns. Every 90 days, a user might add a new letter and number to a password in a methodical way, rather than generating and applying a random password. Your team should test variations on found credentials and look for additional password-account matches.
3. Mitigate credential exposure. After identifying exposures and validating leaked credentials, security teams can take direct action to mitigate the risk of an attacker pursuing an identical process. For example, security teams could erase inactive leaked accounts in Active Directory or initiate password changes for active users.
4. Reevaluate security processes. After completing direct mitigation tactics, security teams can explore whether or not their current password management processes are safe, and can implement improvements or upgrades where necessary. For example, if teams find a large number of leaked credentials, they may want to change the entire password policy across the organization.
5. Repeat automatically. Cyber attackers develop and adopt new techniques faster than you might imagine. The avenues of attack evolve – new points of access are added, new identities are added and removed on a regular basis…etc. In turn, a single one-time effort to identify, validate and mitigate credential exposure is helpful, but inadequate. To achieve sustainable security within a highly dynamic threat landscape, organizations need to continually run through this credential exposure management process.
You can also mitigate the risk of credential exposure by setting up password expiration policies, requiring multi-factor authentication, implementing SSO and adding other controls that can help monitor account access.
For more information about how to mitigate credential exposure, see CyberTalk.org’s past coverage. Lastly, get engaging stories, expert analysis and real-world reports delivered to your inbox each week – subscribe to the CyberTalk.org newsletter.