Credential stuffing is nothing new, but defining related risks and impacts helps foster pertinent questions for security teams: What could we be doing better from a process perspective? How could we look at this from a different standpoint, rather than the individual capabilities or parts of the attack surface that more closely face the issues related to credential stuffing attacks? We’ll cover the state of credential stuffing as well as best practices to better prepare for what might be on the horizon.
Credential Stuffing Defined
“Credential stuffing is the automated injection of breached username and password pairs in order to fraudulently gain access to user accounts. Large numbers of spilled credentials are automatically entered into websites, [systems, or applications] until they are potentially matched to an existing account. [Once matched,] the attacker can hijack the accounts for their own purposes.” (Source: OWASP)
Essentially, credential stuffing preys on the reality that even though we all know we shouldn’t reuse passwords elsewhere, people still do so. From an attack perspective, the anatomy and the architecture of stuffing can be seen in the simple diagram below:
The automated testing of these credentials against other systems, where someone might have reused credential pairing, is usually done by a botnet. When coordinated through a botnet, it makes it more challenging to identify the stuffing attack is taking place and attempt to stop it at the network level (or through network telemetry and other similar tactics). Simply thinking, “I want to block all the login attempts from this particular IP address or this particular region” doesn’t cut it these days. Attackers are more intelligent than that as a requirement to be successful and uphold a sound reputation amongst peers.
It is also important to note that even though this attack might be easy to understand, this simplistic look must also consider the rise of dark web marketplaces and forums with “as-a-service” offerings and tools in order to plan more integrated attacks with far-reaching impacts. With the added layer of the dark web marketplace, malware-as-a-service (MaaS) is available, as well as purchasing breached or spilled credentials. In some cases, other threat actors can even purchase time or access to botnets in order to direct testing credentials against various other services and sites. In many ways, these types of attacks have become so easy and inexpensive for threat actors to pull off in today’s landscape that it requires very little know-how or level of skill.
State of Credential Stuffing
The notion that threat actors would take breached credentials and then try them elsewhere, hoping that targets made a mistake or reused their password, has been an activity we’ve seen from cybercriminals for decades. Even though this technique has been around for a long time, the cybersecurity community didn’t always call it “credential stuffing.” In fact, credential stuffing was first introduced as a coined concept by Sumit Agarwal, who served as Deputy Assistant Secretary of Defense under President Obama and observed a pattern of brute-force attacks. He noticed threat actors were using credentials, like usernames and passwords, stolen from one site and to gain access to other sites. Regardless of origins, this growing problem is undoubtedly worth a security team’s time and attention.
Since 2017, the FBI has received numerous reports on credential stuffing attacks against US financial institutions, collectively detailing nearly 50,000 account compromises. The victims included banks, financial services providers, insurance companies, and investment firms.FBI, 2020 Credential Stuffing Attacks Against US Financial Sector Notice
Current reports and studies indeed illustrate that brute force and credential stuffing attacks top the charts. The Verizon 2021 Data Breach Investigations Report, the FBI Cyber 2020 Credential Stuffing Attacks Against US Financial Sector notice, and the SEC OCIE 2020 Cybersecurity: Safeguarding Client Accounts Against Credential Compromise are all well-aligned in helping to paint a bigger picture.
Verizon’s report alone details, “Brute force and credential stuffing attacks are extremely prevalent according to SIEM data analyzed in our dataset. We found that 23% of the organizations monitored had security events related to those types of attacks, with 95% of them getting between 637 and 3.3 billion(!) attempts against them.”
Common Traps and Misconceptions
First and foremost: Credential stuffing does not require a data breach. We see far too often that these two are used interchangeably and incorrectly. Just because someone has been targeted with credential stuffing attempts or is the victim of a successful credential stuffing attempt doesn’t mean that there was a data breach at that organization. In fact, the data breach probably happened or originated from a different organization. Other traps include casting too narrow a net, mounting too shallow a defense, or relying on uncoordinated data, systems, teams and analysis.
Typical recommendations offered to address credential stuffing attacks include:
- Multi-Factor Authentication;
- Alternative defenses such as secondary passwords, PINS and security questions. The use of CAPTCHA, IP block-listing, device fingerprinting and requirement of unpredictable usernames are also common alternative defenses; and,
- More in-depth defenses such as multi-step login processes, identifying leaked passwords and notifying users about unusual security events.
While these common recommendations can be helpful, the devil is in the details and there are caveats to every single one of these suggestions. At face value, these steps may sound easier to execute than they are. Additionally, they may not even be a realistic option for certain organizations. The basic recommendations simply do not present the nuances and diversity that exist within organizations today.
This makes it extremely difficult for security practitioners to simply put these on the road map and check a box as if everything is complete. For example, multi-factor authentication might be questioned for use in all systems and could be weakened by employing it with just a select few. Furthermore, multifactor authentication isn’t necessarily always an option to deploy depending upon the organization. Different demographics, situations and systems don’t always allow these solutions to fit into a nice box labeled “one size fits most.” For example, if an organization were to employ SMS, this alone is still fairly phishable. At this level, we are really performing “security theater” rather than making an environment more secure.
These recommendations are perfect for sharing with someone who might be newer in the space, but this alone won’t be enough to instill complete protection. When you look at credential stuffing as a simple concept, you begin to understand just how much this aspect touches nearly every single part of a security program.
Solid Path Forward for Security Teams
The basic recommendations to address credential stuffing risk can be closely related to chopping down a tree. Unfortunately, there are strong roots here that must be considered, so you must go beyond the basics. If “the roots” are not addressed, it’s unlikely that a security team will make sufficient headway or benefit from efforts underway to truly optimize the time and attention spent on them. The challenge at hand demands a more holistic perspective and solution.
Security teams can begin by taking a closer look at their programs under a fresh lens. A recent Microsoft security functions and roles article helps to illustrate the level of attention required. If we are to dissect the following roles and responsibilities chart, we can certainly see where credential stuffing might come into play.
This helps to encapsulate this concept that credential stuffing touches nearly every single aspect of your security program. You could focus on any box in the diagram and talk through its contribution to addressing this particular risk. Whether that might be a focus on the threat intelligence portion or incident management planning, when you approach this through the lens of credential stuffing, you can see very quickly where the silos exist and where there may be a lack of information sharing as well as gaps.
Layout the process of your different capabilities and roles within your program and where you should make sure there’s continuity between each part of your business unit or your security program, as well as handoff between different roles throughout the lifecycle and process. Take a look at areas to evaluate your program in terms of where you stand today from this perspective and make sure that this thread is drawn through each aspect of your program.
This is the level of detail that is crucial to truly solve the challenges at hand. For security practitioners looking to improve programs moving forward, this strategy and fresh approach might be the perfect starting point. Sit down with your colleagues, strategize, ask tough questions and offer honest answers. This is when you will begin to develop tangible and practical next steps for your road map. Through the lens of credential stuffing, there is not one area where there’s not something to evaluate, improve or involve in your credential stuffing playbook.
At the end of the day, cybersecurity shouldn’t be a fire drill. If your team is still unsure where to start or feels a little overwhelmed, reach out to other experts in the industry for best practices and support. With ZeroFox, you can complete your security stack with proactive protection, intelligence and disruption to identify and thwart external threats to your enterprise, executives and data across the public attack surface. Request a demo of the ZeroFox platform today to discover how we can help.