If you looked on the Dark Web shortly after Disney+ launched, you would have found many accounts up for grabs - possibly yours. Going from free to eleven dollars, these accounts were made available with “no evidence of a security breach” on Disney’s end, according to the company. So what happened? Well, quite probably, a credential stuffing attack.
Anatomy of a Credential Stuffing Attack
According to Salt Security, a credential stuffing attack is “is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, hackers pilfer lists of already stolen usernames and passwords (lurking around online) and run them against other websites until some of them stick.
They are similar to brute-force attacks, in that the attacks are repeated, persistent and automated. The difference is that, whereas in brute-force attacks the credentials are guessed at algorithmically, credential stuffing attacks use already known lists of compromised credentials.
Said Sushila Nair, a VP of security services, “Ultimately, the success of password spray attacks and the fact it doesn’t require the use of advanced technology makes it a great starting point for attackers… The Identity Theft Resource Center estimates the average person has around 100 passwords to remember, so it’s no surprise that so many of us are reusing the same passwords across multiple sites, which contributes to the success of this kind of attack.” Tip: don’t reuse passwords.
How Behavioral Analytics Can Stop a Credential Stuffing Attack
So, what can organizations do to defend against credential stuffing attacks? Requiring a distinct password from one’s employees' use on other sites is a start, but companies should apply more tactics. Besides employing multifactor authentication (MFA) and not allowing email addresses to be used as usernames, companies can baseline their environments and use ML and AI to see when something is out of the ordinary. This practice is called behavioral analytics.
“Credential stuffing can be more easily and quickly detected if an organization is able to establish baselines of typical user behavior and traffic patterns,” states Salt. For behavioral analytics, an organization aggregates large amounts of normative data, say, from your users’ login attempts or your network traffic patterns, so the alarms can be sounded when bots or bad actors come in and do something out of the ordinary (like initiate a barrage sign-in attempts in a credential stuffing attack, which AI and ML algorithms can detect even when bad actors meter out the flow slowly).
Also known as User and Entity Behavioral Analytics (UEBA), these systems are composed of three basic parts; To do any kind of behavioral analytics, you need three components: collected data, storage of the data, and algorithms that make decisions in real time on what to do with the data (in other words, how to mitigate threats). So what can you do with these analytics systems? You can:
- ● Detect attacks. The anomalous behavior of attackers (or malicious programs) will be detected by a system scanning for any deviations from established norms.
- ● Manage and groom employee access rights. In a zero-trust environment, only those who need access should have it. Redundant employee access rights will be blocked and only the necessary ones allowed.
- ● Identify internal threats. Such analytics can reveal the telltale behavior of an inside attacker. Otherwise, systems might allow any authenticated user full access.
- ● Identify compromised accounts. Priority should be given to accounts with the most sensitive access and information. “User accounts are critical attack vectors for hackers intent on stealing valuable data or inflicting crippling damage” explained Ross Brewer, VP and MD of EMEA at LogRhythm.
Putting Attackers “In Check”
Having been described as a “chess match,” the current cyber landscape is a race to an unknown finish, where the best protected ones are the ones who can persistently make the best decisions fastest. Against baselines established by behavioral analytics, both human hacking and automated machine actions like the ones behind credential stuffing attacks will stand out as different from the norm and be mitigated.
Stated Brewer, “Organizations should know by now that it’s no longer a matter of if they’ll be breached but rather when. Without deep visibility into insider threats and risks, and behavioral analytics in place to analyze the potential threats, companies will be blind to breaches happening right under their noses.”
About the Author: An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.
0 Comments