Stolen credentials are the number one attack vector behind breaches1. Armed with an employee username and password, attackers can stealthily gain a foothold on the network, perform reconnaissance, and move laterally to critical targets – all without malware. Phishing & malware are great ways to steal credentials, but there's another, much easier way that's largely outside of one's control – third party breaches.
The way it works is simple. A company employee uses their work email (e.g. firstname.lastname@example.org) to sign up for an account, whether it be Adobe or Ashley Madison. That site gets compromised, which can lead to anywhere from real names & passwords getting exposed to credit card numbers, Social Security #'s, and other personally identifiable information. Over the past year alone, millions have had their credentials spilled onto the web from breaches and the resulting public data dumps.
The complication is that we often reuse passwords and they aren't very strong. According to a 2007 Microsoft study, the average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them. Since 2007, we (1) use even more services, (2) login on mobile devices (shorter passwords?), and (3) haven't made significant strides in password hygiene.
Since work emails are easily identifiable as associated with a company, it's not a stretch for attackers to try them on Outlook Web Access, Cloud Services like Google Apps, Box, or Office 365, or elsewhere. If authentication is successful, this results in data loss that is also difficult to detect. From there, attackers can dig for VPN credentials, use the compromised account to phish other employees, and laterally move towards prized assets such as credit card info, protected health information, or confidential financials or schematics.
How can you check if you or your friend's data has been exposed? Sites like HaveIBeenPwned offer searches where email addresses can be entered to check against their database. User behavior analytics solutions can also baseline what account authentications are normal and identify suspicious logins you should investigate further. With Rapid7 UserInsight, we alert you of accounts associated with third party breaches, and also identify compromised credentials across all of your employees, for all of their services, endpoints, and even cloud services as well.
UserInsight helps you detect account takeovers through user behavior analytics, provides rich context for investigations, and highlights risks from regular user behavior. By integrating with your existing network architecture and security stack, all activity on your network is correlated to the users behind them. This is combined with Rapid7's knowledge of the attacker from Metasploit and Global Services to help you catch intruders earlier in the attack chain, before they've caused damage.
During an evaluation of UserInsight, the United States Naval Academy immediately identified user credentials involved in data breaches. One alert stemmed from the Stratfor Global Intelligence breach in 2011, when malicious attackers stole credit card details, passwords, and home addresses for thousands of clients. This has also proved useful for college campuses and biotech companies – being able to identify and mitigate credential risk transcends verticals and is essential in today's threat landscape.
To learn more about how User Behavior Analytics solutions are being recommended to detect both outside attacks and insider threat, get the Gartner Market Guide here. View our UserInsight product page to see demo videos and get a free guided tour!
1. Verizon Data Breach Investigations Report, 2011-2015