Compromised credentials are the number one attack vector behind breaches, according to the Verizon Data Breach Investigations Report. Armed with an employee username and password, attackers can stealthily gain a foothold on the network, perform reconnaissance, and move laterally to critical targets – all without malware. Phishing and malware are great ways to steal credentials, but there's another much easier way that's largely outside of one's control – third party breaches.
The way it works is simple. A company employee uses their work email (e.g. email@example.com) to sign up for an account, whether it be Adobe or Ashley Madison. That site gets compromised, which can lead to damage ranging from the exposure of real names and passwords to credit card numbers, Social Security numbers, and other personally identifiable information leaked into the public domain. Over the past year alone, millions have had their credentials spilled onto the web from breaches and the subsequent data dumps.
The complication is that we often reuse passwords... and they aren't very strong. According to a 2007 Microsoft study, the average web user maintains 25 separate accounts but uses just 6.5 passwords to protect them. Since 2007, we (1) use even more services, (2) create accounts on mobile devices, and (3) haven't made significant strides in password hygiene.
Since work emails are easily identifiable as associated with a company, it's not a stretch for attackers to attempt authentication on Outlook Web Access, Cloud Services like Google Apps, Box, Office 365, or elsewhere. If authentication is successful, this results in data loss that is difficult to detect. From there, attackers can dig for VPN credentials, use the compromised account to phish other employees, and laterally move towards prized assets such as credit card databases, Protected Health Information (PHI), or confidential financials or schematics.
How can you check if you or your friend's data has been exposed? Sites like HaveIBeenPwned offer searches where email addresses can be entered to check against their database. User Behavior Analytics (UBA) technology can also baseline normal account authentications and identify suspicious logins for further investigation. With InsightIDR, we alert you of accounts associated with third party breaches and also identify compromised credentials across all of your employees, including their network services, endpoints, and cloud services.
InsightIDR helps detect account takeovers through user behavior analytics, automatically provides a visual dossier of your users and assets, and highlights risky behavior from your employees. By integrating with your existing network and security stack, the millions of events generated daily on your network are correlated to the users behind them. This is combined with Rapid7's knowledge of the attacker from the Metasploit project, Incident Response teams, and Pen Testers to help you catch intruders earlier in the attack chain, before data theft occurs.
During an evaluation of InsightIDR, a large private university was immediately alerted of three incidents that involved multiple compromised user accounts. In one case, there were authentications coming from the EMEA region. Drilling in further, the ISO saw that the user account in question was trying to connect via VPN from an IP address in Lagos, Nigeria. Although university faculty often travels, the user behavior analytics within InsightIDR automatically identified the authentications as unusual.
After confirming that the account owner was not traveling, the Active Directory account and password were reset, and the user was placed on the InsightIDR Watchlist to more closely monitor subsequent activity. 15 minutes later, ingress activity came from the same IP address for a different user account. That user was also confirmed not-traveling, and was also reset & Watchlisted. Both end users were questioned about whether they had fallen victim to phishing campaigns, but neither recalled any suspicious events. This has also proved useful for government agencies and biotech companies – being able to identify and mitigate credential risk transcends verticals and is essential in today's threat landscape.
If you'd like to learn more about how attackers use credentials to gain unauthorized access, check out our Rapid7 research report, The Attacker's Dictionary - Auditing Criminal Credential Attacks. For more about our complete incident detection and investigation solution, check out our on-demand 20-minute InsightIDR demo today!