[BreachExchange] 5 Tips for Fighting Credential Stuffing Attacks

[Destry Winant]

https://www.darkreading.com/edge/theedge/5-tips-for-fighting-credential-stuffing-attacks/b/d-id/1337896

Sumit Agarwal takes credit for coining the term "credential stuffing."
He served as deputy assistant secretary of defense under President
Obama and, in 2011, while working at the Pentagon, he began to notice
a pattern of brute-force attack on public-facing military websites,
where threat actors were using credentials, like usernames and
passwords, stolen from one site and to gain access to other sites.

Today, Agarwal is co-founder and CTO of Shape Security, and credential
stuffing has gone mainstream, making life miserable for security
managers in many types of organizations.

"Credential stuffing attacks are a massive problem today, especially
with the extreme shift to online-only services due to COVID-19," says
Agarwal. "Something becomes spontaneously popular - we saw this with
Disney+ as soon as it came out - and is overwhelmed with targeted
credential stuffing attacks. Any time a service gets any substantial
amount of traffic, they see surges in credential stuffing. We’re going
to see these attacks increase for online grocers, delivery services,
and telehealth providers."

Simply put, credential stuffing takes place when cybercriminals obtain
stolen credentials through some means – usually on the dark web – and
then use botnets or other automation tools to try and use these stolen
usernames and passwords to gain fraudulent access to multiple, other
user accounts.

"Credential stuffing is a type of cyberattack where the hacker
attempts to sign into a user’s account using usernames and passwords
that have been leaked during a data breach," says Charlotte Townsley,
director of security engineering at Auth0. "During the attack, a
hacker can steal a user's credentials and sell them on the dark web
for other hackers to purchase. Other hackers can gain access to
billions of leaked credentials and use bots to try different
combinations of passwords, quickly, into hundreds of accounts from
social platforms to banking apps."

"Credential stuffing is really a subset of brute force attacks," adds
Adam Darrah, director of intelligence with Vigilante. "The major
difference is the fact that threat actors are working with previously
cracked or dehashed passwords, and passwords that were compromised by
other attack vectors, like keyloggers and other malware, so they
already have an attack-ready set of credentials at their disposal.
Threat actors utilize a litany of brute force checkers, varying in
sophistication, to run targeted account takeover campaigns against
corporate infrastructure and websites alike."

Once in, of course, that means corporate sensitive assets could be
leaked, or the attacker can possibly gain access to other private
accounts or trick unsuspecting colleagues into sharing information.
The potential for damage is limitless.

Attacks are growing and easy to execute

>From Agarwal’s early days of identifying credential stuffing attacks
on government sites, the problem is now pervasive. The most recent
Verizon Data Breach Investigations Report (DBIR) from 2019 finds
credential stuffing was used in 29% of all data breaches. And
currently HaveIBeenPwned.com (HIBP), a free site that offers data
breach notification, has information on nearly 9 billion compromised
credentials from hundreds of data beaches.

Transitioning to a cloud environment has many traps and must be
approached with careful consideration. With all the recent data
breaches and misconfigurations, learn the basics from the experts and
ensure a smooth and secure journey.

It’s unsurprising that criminals are drawn to it for quick success as
its fairly easy today to obtain stolen credentials cheaply.

"The skills required to purchase credentials to a victim’s bank
account or online retail account could be learned in an afternoon of
Google searches," says Darrah. "There are seemingly endless deep and
dark web marketplaces offering account credentials for as little as
$2, depending on the service or website. In some cases, they even
offer refunds if the credentials don’t work as advertised."

But there are some tools and techniques security managers can put in
place to mitigate credential stuffing attacks. Security researchers we
spoke with recommend the following.

1. Boost user awareness on password management
With many users still re-using passwords across accounts, one place to
start is education, says Townsley: "Improving user password habits is
a great start in defending against credential stuffing attacks.
Educating employees on best practices and reminding them to change
their passwords on a more regular basis can make it harder for hackers
to pull off a successful attack."

2. Implement multi-factor authentication
Two-factor/multifactor authentication should be enabled on every
account where it is allowed and available. This adds another layer
that makes it more difficult for a threat attacker to penetrate.

3. Use anomaly detection tools
"These could be either free or enterprise-grade online threat
intelligence tools that can help identify risk signals -- such as a
breached password or a higher than usual number of failed
authentication attempts," says Townsley. "These can also be used to
determine a sudden or unusual increase in the amount of IP addresses
visiting a website – this can be a tip off that there is malicious
activity happening."

4. Deploy password managers
Several enterprise password managers are available, free-of-charge,
that can help users create unique and strong passwords for every
secure account and can help cut down on the common password reuse
problem. A variety of password managers suitable for both enterprises
and small businesses alike, are available, among them, according to
recent market research from Ovum (now part of Omdia), 1Password
Business, Dashlane Business, Keeper for Business, LastPass Enterprise,
ManageEngine Password Manager Pro, Pleasant Password Server, and
RoboForm for Business are the leaders. Ovum also gave kudos to Bluink,
Passwork, Bitwarden, TeamPassword and Passbolt for unique features.

5. Embed security into website design
"Security professionals and web developers can make a threat actor's
job a little tougher by ensuring that websites use any available
bruting countermeasures, including CAPTCHAs and MFA," says Darrah.
"Simple changes to website functionality can also be implemented - the
prompt given after a login attempt, for example.”