Cybercriminals are creatures of opportunity when it comes to committing cybercrimes: They look for the biggest score with the most minimal amount of effort. And when it comes to accessing users’ personal and business-related accounts, their approach isn’t much different. They look for ways to access your account with as little effort as possible by using compromised credentials.
As of June 9, 2020, the website haveibeenpwned.com shows that there are
9,760,722,439 (nearly 9.8 billion) known “pwned” accounts in existence. That means that the number of compromised accounts surpasses the number of people that we have living in the entire world today! So, this means that for some people, several of their accounts’ passwords have become compromised.
What makes this realization even worse is this: A recent study by Carnegie Mellon University’s Security and Privacy Institute (CyLab) shows that only one-in-three users bother to change their passwords in the aftermath of a publicized data breach. And when they do bother changing their passwords, the updated passwords are frequently less secure than the compromised ones they replaced!
Now, let’s imagine that some of those negligent users are your own employees. What would this mean for your business? Let’s connect the dots:
Needless to say, this spells trouble for your organization in the form of credential account compromise. But just what sorts of tactics do cybercriminals frequently use to gain access to accounts?
Brute force is both a type of attack and category of attacks that exploit insecure passwords. The goal for threat actors? To force their way into your account to gain unauthorized access to your content, assets, and information. It involves a hacker testing a list of values (typically words that can be found in a dictionary) against a server to analyze how it responds. The list can also contain various of those terms that include special characters and numbers. So, in the most basic sense, brute force attacks are like having a cybercriminal who’s armed with a massive key ring: They try every key in a lock until one works (eventually).
The Open Web Application Security Project (OWASP) defines credential
stuffing as a type of brute force attack that involves “the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.” So, in a nutshell, a credential stuffing attack is a bit like firing a shotgun: The cybercriminal “fires” passwords and credential combinations that were stolen or leaked to test and see if any of the combinations are valid.
Credential stuffing attacks are something that cybersecurity companies are continually fighting. One recent credential stuffing attack that Imperva reported mitigating lasted a grand total of 60 hours and involved 44 million login attempts! That’s the equivalent of 733,333 login attempts per hour or 12,222 login attempts per minute.
Much like credential stuffing, password spraying is another type of brute force attack. But in this case, it uses a single password against multiple targeted user accounts before moving on to try other individual passwords.
This method of attack is like the virtual equivalent of lobbing a virtual grenade made of duplicate keys into a room filled with different locks. The goal of “spraying” a single password across multiple accounts to see if the password is valid for any of them enables an attacker to more effectively test a single key across many accounts.
So, with successful attacks occurring at such a rapid rate, what can you do to protect your organization against weak or compromised password attacks?
Let’s be perfectly frank: No matter what anyone tells you, there is no one-size-fits-all approach to stopping credential-based cyber attacks. (Or any types of cyber attacks, for that matter.) All you can do is implement a layered approach that makes you a tougher target. So with that in mind, here are 7 steps you can take to prevent compromised credentials from affecting your organization.
Any organization that’s worth its security salt monitors and analyzes its traffic and access reports. Part of this monitoring involves reviewing successful and failed login attempts. Some organizations might employ in house resources and personnel using an SIEM approach while others may hire third-party services and solutions to do it for them. These records can show whether specific IP addresses or groups of them that are attempting to log in to users’ accounts. (This helps you to identity potential brute force attacks.)
Artificial intelligence and machine learning solutions make it possible to scour the logs and identify any suspicious activity and failed login attempts in record time. An advantage of using these solutions is that it frees up your human workers so that they can focus on the analysis of the potential threats or handle other important tasks.
Brute force attacks the perfect solution for the lazy (or efficient, depending on how you look at it) hacker. Cybercriminals either purchase or download these lists of credentials (dictionaries) for free, and then they use automation to run through these lists of stolen or leaked credentials until they find a combination that works.
But where are they getting these lists? There’s plenty of information available on the Dark Web and collaborative hacker communities and sites like GitHub. There are also people posting lists of the most commonly used passwords as well. For example, here’s a screenshot of a list of 10,000 of the most common passwords that’s available through GitHub:
Image Source: GitHub
Heck, how about a list of the 100,000 (100k) most commonly used credentials instead? Oh, yeah, that’s available on GitHub, too (and has been for more than a year!).
While having access to these types of public lists sucks for the cybersecurity-ignorant user who uses these types of passwords, there’s a bit of silver lining for organizations: You can use these lists to prevent brute force attacks from being successful. You can do this by preventing users from using insecure or compromised passwords in the first place.
One example of how to do this is to create custom lists of banned passwords in the Microsoft Azure Active Directory. Azure’s AD already pulls from its internal global banned password list, but this custom capability allows you to specify additional terms that wouldn’t be allowed to be used as passwords.
Image source: Microsoft
Unfortunately, their custom password list limits you to 1,000 prohibited terms. But there are additional tools and options you can consider such as Specops Password Policy.
If you’re using WordPress, you also can use a plugin such as No Weak Passwords, which checks passwords against an online list of common passwords and terms in more than 20 languages. Or, you can use a tool like WPScan, which is available as an app as well as a plugin, to audit your website for known insecure credentials. Simply upload your password dictionary and let the scanner’s user enumerator and password cracking tools take care of the rest.
During a credential stuffing or other type of credential attack, your network logs would likely show a few specific IP addresses with repeated failed login attempts across multiple accounts. This is an indication of some less sophisticated credential-based attacks. The good news? You can choose to either filter or block these IP addresses altogether.
NIST has a couple of definitions for the term “blacklist,” but to summarize, it’s a compilation of any IP addresses, domains, URLs that are suspicious or malicious. By applying a blacklist to virtually any area of your network, you can deny service to entities that may pose a threat to your organization. Some companies purchase blacklists from commercial services while others compile their using their logs of failed login attempts. There’s no right or wrong way to go about it.
However, if your organization lacks the resources or personnel to painstakingly go through network logs, there are publicly reported blacklists of “bad” IP addresses that you can use. If you’re not sure where to start looking for them, here’s a list of a few free and commercial resources:
One important note: Some of these resources may have usage restrictions,
so be sure to read the usage agreements before using any of these resources.
If you’re looking for additional RBL resources, be sure to check out multirbl.valli.org’s list of RBLs. Also, there are also plenty of other online tools and sites that you can use to check individual IP addresses, including your own — whatismyipaddress.com and dnschecker.org.
There are known IP address lists by region, too. So, another cool trick that you can use is to set up regional IP limitations. This is great if you’re an organization that only works with local or regional customers — for example, if you’re a U.S. company that only does business with individuals in the continental U.S., you could block IP addresses that fall outside those parameters. So, if you suddenly notice failed login attempts from IP addresses that are well outside your customers’ regions, you can block them.
Of course, cybercriminals can employ various method to hide their IP addresses — such as through the use of VPNs and botnets — but IP filtering and blacklisting, at least, serves to protect you against the less sophisticated attackers.
PassProtect is a tool (as well as a Google Chrome extension) that prevents compromised passwords from being used as user credentials. To be more specific, it’s a tool that binds itself to email and password input elements to identify any user emails or passwords that have been exposed in past data breaches. It does this by checking those values against breaches passwords and email addresses that have been identified by the Have I Been Pwned? API service.
So, if you were to integrate this into your own web apps, it could help you to mitigate the use of weak and compromised passwords by your users.
Here’s another way that you can protect your website from the use of weak or compromised credentials: Make the use of multi-factor authentication (MFA) and other authentication mechanisms mandatory.
Multi factor authentication is a great way to supplement password security and prevent the use of stolen credentials. Basically, in addition to your password, an attacker would also require access to additional elements (such as access to a physical security token or biometric) to complete the authentication process. They couldn’t just use breached credentials alone to access accounts.
Verizon’s 2020 Data Breach Investigations Report (DBIR) reiterates the impact of credential theft in web app attacks. Although the following excerpt speaks specifically to the number of web app attacks targeting the construction, the sentiment extends to other verticals as well:
“For the Web Applications attacks, the most common hacking variety was the use of stolen credentials. Sometimes these were obtained from a phishing attack, and sometimes they were just part of the debris field from other breaches. Employees reusing their credentials for multiple accounts (both professional and personal) increases risk for organizations when there are breaches and the stolen credentials are then used for credential stuffing. The key to reducing this risk is to ensure that the stolen credentials are worthless against your infrastructure by implementing multifactor authentication methods.”
The U.S. CERT’s Cybersecurity & Infrastructure Security Agency shares a few additional ways that you can supplement your password security measures:
Password policies are useful for ensuring that any passwords
that are created are as secure as possible. Some such policies include:
Now, the key here is to enforce any password policies that you put in place. The longer that any of your web app users uses the same password, the more at risk they — and you — are to different brute force attacks.
You can also use password complexity checkers, meters, and password generators as well to help users generate better passwords.
Nearly half (49%) of data breaches reported in IBM and the Ponemon Institute’s 2019 Cost of a Data Breach Report were “inadvertent breaches” that resulted from good ol’ fashioned human errors and system glitches.
So, while this really should go without saying, it bears repeating: Educate your users. Teach them about the dangers of phishing attacks and how to identify them. Teach them to use secure passwords (or, better, pass phrases) to secure their accounts. Demonstrate the advantages of using a password manager, which allows users to generate and store unique, complex passwords for all accounts. All they’d have to remember is one master password — it doesn’t get much easier than that!
Implementing strong password security policies without first addressing the fallibility of human nature and our desire for convenience will always result in weak password security. So, educate your users while also allowing them to use a reputable password security manager.
From the data we’ve shared, it’s clear that credential compromise attacks are a significant issue for organizations regardless of size. There are multiple ways that you can your users’ accounts against brute force attacks and other credential-related threats.
Cybercriminals aren’t going to stop trying to gain access to your accounts, and they’re going to use whatever means they have at their disposal. This means that to protect your business, you need to understand the tactics they use and layer your defenses to combat them.