June 19th 2020
Casey Crane is a tech lover and cybersecurity journalist for Hashed Out and Infosec Insights.
Verizon’s 2020 DBIR reports that more than 80% of hacking-related breaches involve brute force or the use of lost or stolen credentials— here’s how to prevent weak or compromised credentials from being used in your company’s applications and network
Cybercriminals are creatures of opportunity when it comes to committing cybercrimes: They look for the biggest score with the most minimal amount of effort. And when it comes to accessing users’ personal and business-related accounts, their approach isn’t much different. They look for ways to access your account with as little effort as possible by using compromised credentials.
How Hackers Get Access to Users’ Accounts
9,760,722,439 (nearly 9.8 billion) known “pwned” accounts in existence. That means that the number of compromised accounts surpasses the number of people that we have living in the entire world today! So, this means that for some people, several of their accounts’ passwords have become compromised.
Now, let’s imagine that some of those negligent users are your own employees. What would this mean for your business? Let’s connect the dots:
- Data breaches occur.
- People don’t change their passwords.
- Cybercriminals often use those breached credentials.
- If successful, they gain access to insecure accounts
using those creds.
Needless to say, this spells trouble for your organization in the form of credential account compromise. But just what sorts of tactics do cybercriminals frequently use to gain access to accounts?
Brute Force Attacks
Credential Stuffing Attacks
stuffing as a type of brute force attack that involves “the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.” So, in a nutshell, a credential stuffing attack is a bit like firing a shotgun: The cybercriminal “fires” passwords and credential combinations that were stolen or leaked to test and see if any of the combinations are valid.
Password Spraying Attacks
This method of attack is like the virtual equivalent of lobbing a virtual grenade made of duplicate keys into a room filled with different locks. The goal of “spraying” a single password across multiple accounts to see if the password is valid for any of them enables an attacker to more effectively test a single key across many accounts.
So, with successful attacks occurring at such a rapid rate, what can you do to protect your organization against weak or compromised password attacks?
7 Tips for How to Prevent Credential Attacks Within Your Organization
Let’s be perfectly frank: No matter what anyone tells you, there is no one-size-fits-all approach to stopping credential-based cyber attacks. (Or any types of cyber attacks, for that matter.) All you can do is implement a layered approach that makes you a tougher target. So with that in mind, here are 7 steps you can take to prevent compromised credentials from affecting your organization.
Tip 1: Monitor Your Traffic and Access Logs Using AI and Automation
Any organization that’s worth its security salt monitors and analyzes its traffic and access reports. Part of this monitoring involves reviewing successful and failed login attempts. Some organizations might employ in house resources and personnel using an SIEM approach while others may hire third-party services and solutions to do it for them. These records can show whether specific IP addresses or groups of them that are attempting to log in to users’ accounts. (This helps you to identity potential brute force attacks.)
Artificial intelligence and machine learning solutions make it possible to scour the logs and identify any suspicious activity and failed login attempts in record time. An advantage of using these solutions is that it frees up your human workers so that they can focus on the analysis of the potential threats or handle other important tasks.
Tip 2: Use Breached Credential Lists to your Advantage
Brute force attacks the perfect solution for the lazy (or efficient, depending on how you look at it) hacker. Cybercriminals either purchase or download these lists of credentials (dictionaries) for free, and then they use automation to run through these lists of stolen or leaked credentials until they find a combination that works.
While having access to these types of public lists sucks for the cybersecurity-ignorant user who uses these types of passwords, there’s a bit of silver lining for organizations: You can use these lists to prevent brute force attacks from being successful. You can do this by preventing users from using insecure or compromised passwords in the first place.
Tip 3: Filter or Blacklist Suspicious IP Addresses
During a credential stuffing or other type of credential attack, your network logs would likely show a few specific IP addresses with repeated failed login attempts across multiple accounts. This is an indication of some less sophisticated credential-based attacks. The good news? You can choose to either filter or block these IP addresses altogether.
However, if your organization lacks the resources or personnel to painstakingly go through network logs, there are publicly reported blacklists of “bad” IP addresses that you can use. If you’re not sure where to start looking for them, here’s a list of a few free and commercial resources:
- AbuseIPDB — The abuse IP database is a great resource that you can use to either check the veracity of a questionable IP address or to access lists of them. While they do offer subscription plans, they also do offer a free plan with access to their basic blacklist and some other useful goodies.
- Barracuda Central — The Barracuda Reputation Block list (BRBL) is a free DNSBL of
known spam-sending IP addresses.
- Emerging Threats — This list of block IPs and top attacker IP addresses is a conglomeration of data compiled by SPAMHAUS and DShield.
- Scumware.org — This website is a great free tool that shows a list of the latest threats, including URLs, IP addresses, geographic location, and the type of threat each list item poses.
- SPAMHAUS — Their exploits block list (XBL) and SPAMHAUS block list (SBL) are great resources via their Datafeed Service.
One important note: Some of these resources may have usage restrictions,
so be sure to read the usage agreements before using any of these resources.
There are known IP address lists by region, too. So, another cool trick that you can use is to set up regional IP limitations. This is great if you’re an organization that only works with local or regional customers — for example, if you’re a U.S. company that only does business with individuals in the continental U.S., you could block IP addresses that fall outside those parameters. So, if you suddenly notice failed login attempts from IP addresses that are well outside your customers’ regions, you can block them.
Of course, cybercriminals can employ various method to hide their IP addresses — such as through the use of VPNs and botnets — but IP filtering and blacklisting, at least, serves to protect you against the less sophisticated attackers.
Tip 4: Use PassProtect On Your Web Apps
So, if you were to integrate this into your own web apps, it could help you to mitigate the use of weak and compromised passwords by your users.
Tip 5: Implement Multi Factor Authentication and Other Security Measures
Multi factor authentication is a great way to supplement password security and prevent the use of stolen credentials. Basically, in addition to your password, an attacker would also require access to additional elements (such as access to a physical security token or biometric) to complete the authentication process. They couldn’t just use breached credentials alone to access accounts.
“For the Web Applications attacks, the most common hacking variety was the use of stolen credentials. Sometimes these were obtained from a phishing attack, and sometimes they were just part of the debris field from other breaches. Employees reusing their credentials for multiple accounts (both professional and personal) increases risk for organizations when there are breaches and the stolen credentials are then used for credential stuffing. The key to reducing this risk is to ensure that the stolen credentials are worthless against your infrastructure by implementing multifactor authentication methods.”
- Disable inactive accounts — Automate the disabling of systems that register inactive for a set period. If someone isn’t using an account, then there’s no reason to continue keeping it active. You can always reactivate an account as needed.
- Secure password data — Use “salting” and one-way “hashing” to make stored passwords more secure. Salting and hashing are processes that involve adding additional random characters to an existing password before scrambling it into an unintelligible form.
- Account lockout policies — Implementing an account lockout policy that initiates a lockout after a set number of failed login attempts helps to mitigate brute force attacks.
Tip 6: Set Policies and Rules Relating to Password Strength and Limitations
Password policies are useful for ensuring that any passwords
that are created are as secure as possible. Some such policies include:
- Password complexity policies — A simple password is often an insecure password. Thankfully, you can set password complexity parameters such as requiring users to include at least one number, uppercase letter, special character, etc. You also can specify here any special letters, numbers, or characters that they can’t use. NIST provides guidance on password security in its special publication NIST SP 800-63B. Microsoft also provides some password guidance information that you might find useful.
- Maximum password age policies — Also known as a password expiration policy, this particular policy ensures that users regularly change their passwords. Basically, it requires users to change their passwords after a set period of time. Conversely, there are also minimum password age policies that you can implement as well.
- Password history policies — A common
practice that many computer users employ is rotating through a small set of
passwords that they can remember. By putting a password history policy in place,
you’re mandating how
many unique passwords that each user has to cycle through before they can
circle back to using a previous password.
Now, the key here is to enforce any password policies that you put in place. The longer that any of your web app users uses the same password, the more at risk they — and you — are to different brute force attacks.
You can also use password complexity checkers, meters, and password generators as well to help users generate better passwords.
Tip 7: Educate Users About Password Security and Make the Process Easier
Implementing strong password security policies without first addressing the fallibility of human nature and our desire for convenience will always result in weak password security. So, educate your users while also allowing them to use a reputable password security manager.
From the data we’ve shared, it’s clear that credential compromise attacks are a significant issue for organizations regardless of size. There are multiple ways that you can your users’ accounts against brute force attacks and other credential-related threats.
Cybercriminals aren’t going to stop trying to gain access to your accounts, and they’re going to use whatever means they have at their disposal. This means that to protect your business, you need to understand the tactics they use and layer your defenses to combat them.